Skip to content

All WhatsApp numbers are under threat#

February 5, 2026

WhatsApp data leak

Researchers have discovered a fundamental vulnerability in WhatsApp that allowed data collection on billions of users for years. It has already been proven that the contact search mechanism could be used to collect the numbers of almost all registered accounts, and for most users, additional personal information could be obtained.

Contents#

How the vulnerability worked#

The problem lay in WhatsApp's core function—number registration verification. The service automatically displays whether the entered number is registered in the system, allowing for quick contact searches.

The vulnerability lay in the lack of restrictions:

  • The WhatsApp web client placed virtually no limits on the frequency of verification requests.

  • The researchers were able to verify up to 100 million numbers per hour.

  • The system did not block mass requests from a single IP address.

This allowed the system to automatically try all possible phone number combinations worldwide, creating a database of active WhatsApp accounts.

Thus, over several weeks of research, an unprecedented database was compiled:

  • 3.5 billion verified numbers — almost all active WhatsApp accounts at the time of the study.

  • 2 billion profiles with public photos — more than half of all users.

  • 1 billion accounts with public statuses — additional personal information.

The situation was particularly critical in some countries. In India and Brazil, more than 60% of users left their profile photos public.

Why it's dangerous#

The collected data is not just a list of phone numbers, but full-fledged personal data with visual identification. It can be used for:

  • Targeted spam and fraud. Knowing that a number is active on WhatsApp, attackers can create personalized phishing attacks.

  • User identification. The combination of number, photo, and status allows for highly accurate identification.

  • Surveillance in countries where WhatsApp is banned. Researchers discovered 2.3 million accounts in China, where the service is officially banned. This data can be used to identify users of illegal messaging apps.

It's important to note that this issue has long been known. The vulnerability was first described by researchers back in 2017, but WhatsApp only patched it now following an official report from the University of Vienna.

The company responded ambiguously, thanking the researchers for their work and calling the leaked data "public," as some of this information could have been hidden in settings.

The company also stated that WhatsApp has anti-scraping mechanisms. However, the researchers note that until this year, they had not encountered any real restrictions on data collection.

How to protect your data now#

For Messenger Users#

Although the main vulnerability has been patched, users should:

  • Check your privacy settings in WhatsApp.

  • Limit who can see your profile photo and status (Contacts only is recommended).

  • Avoid posting sensitive personal information in your status.

For GREEN-API Users#

Bulk number checks may now be considered suspicious activity, so using the CheckWhatsapp method may result in restrictions or account blocking by WhatsApp.

We recommend not using this method unless absolutely necessary.

Switching to usermane system#

Experts agree that the vulnerability is a consequence of the architectural decision to use a phone number as the primary account. Numbers are easily guessed, requiring particularly strong security mechanisms that are unable to cope with a billion-strong user base.

WhatsApp is already testing a solution to this problem—a unique usermane system that will allow users to hide their phone number.

Conclusion#

A study from the University of Vienna has uncovered a fundamental privacy vulnerability in one of the world's most popular messaging apps. Although the vulnerability has now been patched, it serves as an important reminder of the value of digital data and the need to manage privacy settings responsibly.

At GREEN-API, we monitor all WhatsApp updates to provide you with the latest news and solutions for automating your business processes. Stay tuned to stay up-to-date with all the latest developments!