In November 2025, one of the largest and most alarming data breaches in Internet history came to light: approximately 3.5 billion phone numbers associated with WhatsApp accounts were obtained through a mass enumeration method that exploited WhatsApp’s contact discovery feature. The magnitude of the incident, combined with the ease with which this data could be collected from WhatsApp, generated global concern among cybersecurity experts, digital privacy advocates, and WhatsApp users, the world’s most widely used messaging application.
Although Meta—the company that owns WhatsApp—applied a patch to prevent the WhatsApp vulnerability from being further exploited, the data already collected from WhatsApp could circulate indefinitely in private databases, underground forums, or even among organized cybercrime groups. This article analyzes the details of the incident related to WhatsApp, how it was possible, the real risks it poses to WhatsApp users, and, above all, what these users can do to protect their privacy and reduce their exposure in the digital age while continuing to use WhatsApp.
The Origin of the Problem: A Legitimate Feature Used on a Massive Scale
1. The Contact Discovery Feature
WhatsApp, like many messaging applications, uses a system called contact discovery. This mechanism allows WhatsApp, when a user installs the app and syncs their contacts, to automatically verify which phone numbers on that list have an active account on the WhatsApp platform.
It is a feature designed to facilitate communication among acquaintances, but it is also sensitive from a privacy perspective: the process by which WhatsApp checks if a number is registered is based on consulting the WhatsApp user database, making this internal WhatsApp feature a critical point for evaluating security and data management within WhatsApp.
2. How the Feature Was Exploited?
A group of researchers from European universities decided to analyze the behavior of WhatsApp’s system. To conduct their experiment, they generated millions of random phone numbers—specific by international ranges, national prefixes, and real numeric patterns—and systematically queried the WhatsApp service to verify whether those numbers were registered on the WhatsApp platform.
What they discovered was surprising: they could send queries to WhatsApp on a massive scale, without strict limits, without being blocked by WhatsApp, and without using advanced techniques. With just five WhatsApp accounts from the same IP address, they were able to perform millions of verifications on the WhatsApp system in a few hours, demonstrating how easily WhatsApp could be enumerated at that time.
3. The Scale: 3.5 Billion Numbers in 48 Hours
Through this automated process, in just two days they managed to identify more than:
- 3.5 billion phone numbers registered on WhatsApp.
- Accounts corresponding to 245 countries and territories.
- Additional public information available on the profiles of those users.
This means they were able to obtain an almost global record of the numbers associated with active accounts on the application.
Exposed Data: Much More Than Numbers
Although the WhatsApp vulnerability did not allow access to messages or conversations—which remain protected by WhatsApp’s end-to-end encryption—it did facilitate the massive extraction of WhatsApp metadata, which is extremely valuable from the perspective of social engineering, unauthorized marketing, and cybercrime targeting WhatsApp users. This exposure of metadata within the WhatsApp ecosystem represents a considerable risk because such metadata can be used to build detailed profiles of WhatsApp users without directly accessing the content of WhatsApp conversations.
1. Public Profile Picture
Around 57% of the numbers identified on WhatsApp had a profile picture visible to anyone within WhatsApp. This allowed researchers to associate number and face within the WhatsApp ecosystem, increasing the risk of impersonation and targeted scams specifically aimed at WhatsApp users.
2. “Info” or “Status” Text
29% of WhatsApp accounts displayed public text in the “info” or “status” section of WhatsApp, such as personal phrases, professional information, work-related data, birthdays, city, or user thoughts. Although it may seem trivial, this publicly visible information on WhatsApp can be used by scammers to build more credible profiles and launch targeted attacks against WhatsApp users.
3. Public Keys and Technical Metadata
In some cases, especially associated with WhatsApp business accounts or specific WhatsApp configurations, it was possible to obtain encryption public keys, timestamps, and other technical metadata specific to WhatsApp. Although these do not allow reading messages protected by WhatsApp end-to-end encryption, they provide valuable information about user activity on WhatsApp and the structure of their device linked to WhatsApp.
4. Connection Between Number and Account
The mere fact of knowing that a number is registered on WhatsApp can be extremely sensitive in countries where WhatsApp is restricted, monitored, or considered risky. In those contexts, the WhatsApp-related leak represents a physical as well as digital security problem, as it confirms the user’s presence on WhatsApp even without revealing the content of their conversations.
Why Is This Leak So Serious?
Having access to a person’s phone number within WhatsApp is already highly sensitive information, but when that WhatsApp information is combined with a public profile picture on WhatsApp, public information on WhatsApp, an identity verified by WhatsApp, the country and possible estimated city from WhatsApp, as well as timestamps and approximate activity derived from WhatsApp usage, the information becomes a goldmine for any attacker who wants to exploit the WhatsApp platform to carry out malicious actions.
This combination of elements within the WhatsApp ecosystem allows extremely detailed profiles of WhatsApp users to be built, even without accessing the content of their messages, and it makes it clear that in WhatsApp, a number is not just a number: it is a complete digital identity exposed to risks if not properly protected within WhatsApp.
Among the direct risks arising from this WhatsApp-related leak are multiple malicious uses that become more dangerous due to the volume of data collected from WhatsApp. Personalized phishing is much more effective when attackers have numbers, photos, and public statuses extracted from WhatsApp, allowing them to send messages that appear legitimate within WhatsApp. Mass spam campaigns and scams conducted with bots using databases obtained from WhatsApp are also enhanced, as well as advanced social engineering techniques that, thanks to WhatsApp information, allow the creation of fake profiles capable of deceiving the victim’s family and friends.
The risk of harassment and doxxing increases when public WhatsApp data is combined with real identities, and in certain countries, the mere fact of proving someone uses WhatsApp can have serious political or legal implications. Additionally, malicious actors can target specific groups—such as journalists, activists, businesspeople, or minors—based on classified information extracted from WhatsApp, facilitating highly effective targeted attacks both inside and outside WhatsApp.
Meta Closes the Vulnerability: What Was Actually Fixed?
After receiving notification from the research team, Meta implemented changes to limit mass enumeration capabilities within WhatsApp, applying stricter restrictions on the number of queries allowed per WhatsApp account, adding IP address limitations to prevent abuse within WhatsApp, introducing internal rules capable of identifying mass scanning patterns in WhatsApp, and establishing additional checks before allowing large volumes of requests in a short time within the WhatsApp system.
Researchers verified that the WhatsApp vulnerability was no longer exploitable in the same way after the patch, although concern remains about how many malicious actors could have exploited this WhatsApp function before it was fixed—something impossible to determine with certainty and which significantly increases worry about the security of WhatsApp users.
How to Protect Yourself Now?: Recommended Actions
Although the WhatsApp vulnerability has been fixed, it is essential for WhatsApp users to adopt practical measures that reduce their future exposure within WhatsApp, starting with properly configuring WhatsApp privacy. In WhatsApp, users can control who sees their information, so it is recommended to set the WhatsApp profile picture to “My Contacts,” as keeping it public visually exposed millions of WhatsApp users.
It is also important to change the visibility of the “Info” and “Status” section in WhatsApp to “My Contacts” or “Nobody,” because texts that many post on WhatsApp without thinking—such as phrases, names, or work information—can be used for social engineering against WhatsApp users. Similarly, limiting the “Last Seen” and “Online” option in WhatsApp to “Nobody” reduces tracking risks within WhatsApp, and if a public photo must be used in WhatsApp, it is recommended to choose a neutral image different from the personal photo used on other networks outside WhatsApp.
Additionally, it is crucial to adopt security habits inside and outside WhatsApp, such as not responding to messages from unknown numbers on WhatsApp, as many attacks within WhatsApp start with a simple “Hello, who are you?”. In such cases, the best course is not to reply, block, and report within WhatsApp.
It is also recommended not to share your number publicly to prevent it from being used to register on WhatsApp for malicious purposes, to activate two-step verification on WhatsApp to prevent someone from attempting to hijack your WhatsApp account, and to distrust unexpected calls or SMS that may result from the massive WhatsApp leak, especially since attempts at banking scams, fake technical support, and fraudulent automated calls associated with data obtained from WhatsApp will increase.
A Lesson for the Digital Age: Privacy Is More Fragile Than It Seems
Many WhatsApp users believe they “have nothing to hide” or that their WhatsApp number “is not that important,” but this leak incident proves otherwise: the phone number registered on WhatsApp is a key that opens doors to multiple services associated with WhatsApp and, therefore, also to possible attacks targeting WhatsApp users. The exposure of numbers within WhatsApp shows that even seemingly trivial data in WhatsApp can have significant consequences for the digital security of those who use WhatsApp daily.
Although WhatsApp message content remains protected by end-to-end encryption, WhatsApp metadata continues to be a vulnerable area: phone numbers, connection times, public profile pictures, and visible statuses on WhatsApp may be sufficient to build complete profiles of WhatsApp users. This WhatsApp metadata represents valuable information that can be exploited by malicious actors for social engineering attacks, spam, or targeted fraud within the WhatsApp ecosystem.
The vulnerability that allowed the WhatsApp data leak did not imply a failure in WhatsApp encryption but did reveal a weakness in the design of WhatsApp’s contact discovery system, a critical function within the platform. Failures of this type in WhatsApp should be considered in the design of any future WhatsApp function, as massive data exposure demonstrates that even seemingly harmless features in WhatsApp can generate significant security risks.
In an increasingly connected world, WhatsApp users need to adopt safer digital habits to protect their information within WhatsApp. It is not enough to trust WhatsApp as a platform; it is necessary to constantly review WhatsApp privacy settings, question what information is posted on WhatsApp, and be alert to risk signals that could affect those who use WhatsApp in their daily communications. Digital education around WhatsApp becomes essential to reduce the risks arising from leaks and attacks within WhatsApp.
The leak of 3.5 billion WhatsApp numbers will go down in history not only for its magnitude but also for showing how a feature designed to make users’ lives easier can become a threat when its risks are not adequately assessed. This case demonstrates that even the most popular and trusted applications, such as WhatsApp, require a constant focus on security and privacy, both from developers and users. Protecting personal data on WhatsApp is not something to be taken for granted, but a daily effort that must combine good digital practices and awareness of risks.
Although the vulnerability has already been fixed by WhatsApp, the extracted data will not automatically disappear. It could be used for years in scam campaigns, identity theft, phishing, or even surveillance activities targeting WhatsApp users. This highlights that security on WhatsApp depends not only on platform patches and updates but also on informed decisions by each user, from correctly configuring privacy to limiting the exposure of their WhatsApp number and being wary of unexpected messages or calls.
Given this scenario, the best strategy is conscious prevention and constant digital education. Properly configuring privacy, protecting one’s personal number, limiting public information, and staying informed are fundamental steps to reduce risks within WhatsApp. At ITD Consulting, we offer specialized services in cybersecurity, data protection, and digital privacy advisory, designed to help businesses and users protect their communications on platforms like WhatsApp. To learn more about how we can help you strengthen your digital security, write to us at [email protected] and receive professional advice tailored to your needs.
EN 
ES