A security vulnerability in WhatsApp's contact lookup feature has exposed 3.5 billion user accounts to potential privacy threats. Researchers at the University of Vienna uncovered this flaw during an investigation from December 2024 to April 2025.
Major Privacy Vulnerability
The flaw allows attackers to generate and scan phone-number combinations at scale, leading to the extraction of 3.5 billion user accounts globally. Using a tool called libphonegen, researchers generated 63 billion phone-number combinations. Approximately 57% of these accounts had visible profile photos, while 29% contained text profiles with potentially sensitive personal information, including religious and political affiliations.
Encryption Risks and Vulnerability
Security experts warn that the reuse of public and identity keys could weaken encryption, leaving messages vulnerable to interception and decryption. Although Meta, the parent company of WhatsApp, implemented an update in October to limit account searches, users with public profiles remain at risk. Users are encouraged to privatize their profiles and utilize available privacy features.
Impact and Recommendations
This vulnerability, first identified in 2017, highlights ongoing concerns about data security for WhatsApp's extensive user base. Meta's recent adjustments aim to mitigate risks, though the full effectiveness remains to be seen. Users should proactively manage their privacy settings for additional protection.
