WhatsApp users phone numbers have been massively compromised

WhatsApp is a very large platform, and part of its growth comes from how easy it is to find people using the service – all you need is their phone number. Unfortunately, this also means that, until very recently, anyone — even a malicious hacker group — could easily obtain every WhatsApp user’s phone number.

This was uncovered by Austrian researchers, who managed to extract the phone numbers of all 3.5 billion WhatsApp users. For about 57% of those users, the researchers were also able to access their profile photos, and for another 29%, their profile text.

If you are wondering what kind of “black hat” hacking technique they used — none. They simply tried adding billions of numbers, just like any normal user would. You add a number, and WhatsApp tells you whether the person has an account and shows their profile picture and account text.

That’s it — the researchers did the same thing, just on a massive scale. They used WhatsApp Web, the browser-based version of the service. Earlier this year, they were able to check about 100 million phone numbers per hour. This happened even though Meta, WhatsApp’s parent company, had been warned about this issue back in 2017 by another researcher, yet did nothing for years.

Fortunately, the Austrian researchers notified the company again in April, and by October, Meta implemented rate limits to prevent large-scale contact discovery. However, this measure wasn’t in place for many years, during which time any malicious actor could have exploited the system.

Meta, for its part, states that all of this data is “basic publicly available information,” and profile photos or texts were not visible for users who chose to keep them private. The company also claims that it “found no evidence of malicious actors abusing this method,” and that “no non-public data was accessible to the researchers.