A newly published study by cybersecurity researchers from the University of Vienna has revealed that a severe security flaw in WhatsApp’s contact discovery feature exposed private details of nearly 3.5 billion active users across 245 countries. By exploiting this mechanism, the team managed to send over 100 million automated queries per hour and successfully extracted phone numbers tied to active WhatsApp accounts on a global scale.

The vulnerability stemmed from a fundamental design gap in WhatsApp’s system, which allows users to identify which of their contacts are on the platform. Researchers discovered that WhatsApp imposed no limit on the number of phone number lookups possible, effectively enabling anyone to check countless numbers in bulk. The discovery is especially alarming because Meta, the parent company of WhatsApp, had been warned about this loophole as far back as 2017 but failed to implement even basic safeguards.

The collected data included publicly available information such as phone numbers, public encryption keys, display pictures, timestamps, and “about” details. While not containing private messages or end-to-end encrypted content, the data was sufficient for researchers to profile users — identifying the operating system of their devices, the age of accounts, and how many companion devices were linked. Experts warn that this type of metadata exposure can be just as damaging as direct breaches since it enables deeper behavioral and pattern analysis.

Also Read: Sundar Pichai Warns Users Not To Blindly Trust AI, Says Technology Still ‘Prone To Errors’

According to a report from 9to5Mac, if malicious actors had exploited the same flaw, the incident could have resulted in “the largest data leak in history.” What makes the revelation even more concerning is how easily it could have been prevented. By introducing simple request limits or validation checks, Meta could have closed the loophole years ago. Instead, it remained open, allowing researchers to harvest tens of millions of numbers in just minutes during their testing.

Meta has since taken measures to patch the issue and strengthen its contact discovery protocols. However, the case reignites broader debates about user privacy, accountability, and how tech giants handle known vulnerabilities. For WhatsApp users, the episode serves as a sobering reminder that even encrypted messaging platforms are only as secure as the weakest feature in their ecosystem.

Also Read: Elon Musk’s Grok AI Impresses Users by Accurately Identifying Lord Ganesha Image