Researchers from Vienna have identified 3.5 billion phone numbers thanks to WhatsApp’s largest security breach in history.
Security hole in WhatsApp
Due to the security breach, WhatsApp’s entire membership list was available online unsecured. This allowed Austrian researchers to download all phone numbers and other profile data, which turned out to be more than 3.5 billion accounts. Considering this number, it is probably the largest security breach in WhatsApp of all time.
The warnings issued by the group from the University of Vienna and the Austrian SBA Research sent to WhatsApp since September 2024 were confirmed but quickly discarded. It was only when the researchers submitted two draft versions of the report they wanted to publish that parent company Meta woke up. The report shows how many WhatsApp users there are in which country, how they are divided between Android and iOS, how many business accounts there are, and what the customer churn rate is. It also contains all kinds of personal data of end users.
Sensitive information
About 30 percent of all users have entered something in the ‘Info’ field of their profile. Sometimes relatively sensitive information is contained there. Consider political views, sexual or religious orientation, confessions of drug use and drug dealers who advertise their range in this field. The researchers from Vienna also found information about the user’s workplace, as well as hyperlinks to profiles on social networks, Tinder and OnlyFans. Of course, it also contained email addresses. This is a true paradise for criminals.
Furthermore, WhatsApp’s security breach revealed the time of the most recent change. From the ‘Info’ field, but also from profile photos, for example, which 57 percent of all WhatsApp users worldwide have uploaded with visibility to everyone. This easy accessibility of photos would therefore allow you to create a database that often leads to the phone number via facial recognition and vice versa.
WhatsApp says it is grateful to researchers at the University of Vienna for sharing their findings on the security breach. They have now deleted the collected data and according to WhatsApp it has not been misused. Users’ messages remained private thanks to WhatsApp’s end-to-end encryption. The researchers did not have access to non-public data. It is therefore a good idea from now on to think carefully about what information you make public in WhatsApp.
Download the iPhoned app
