Researchers Expose WhatsApp Flaw That Let Them Scrape Data from 3.5 Billion Users. Here’s Why It Matters

When a team of cybersecurity researchers from the University of Vienna tested WhatsApp’s contact discovery feature, they uncovered something alarming: a design flaw that allowed them to enumerate phone numbers and public profile data of nearly 3.5 billion users worldwide.

No hacking or malware was required – researchers simply took advantage of the WhatsApp verification process that shows if a phone number is registered on its platform.

According to the University of Vienna team, the vulnerability stemmed from WhatsApp’s “contact discovery” mechanism, the feature that checks your address book to show which of your contacts use the app.

By automating the process and sending queries to WhatsApp servers, the researchers were able to enumerate up to 3.5 billion valid phone numbers, confirming which were associated with real WhatsApp accounts. They also retrieved profile photos for 57 percent of users and the “About” information for 29 percent.

The study, which was conducted ethically and shared with Meta, underscores how mass scraping can take place without breaching any servers. For attackers, such datasets are highly valuable: phone numbers linked to WhatsApp accounts can be used for spam, social engineering, phishing, or even identity theft.

What Hackers Can Do with Your WhatsApp Number

Once your number is exposed, scammers can:

• Target you with scams: Knowing you use WhatsApp lets scammers contact you directly through the app, posing as friends, charities, or brands.
• Try to take over your account: Scammers can trick you into sharing your verification code or perform SIM-swap attacks to hijack your WhatsApp account.
• Impersonate you: With your number and profile photo, attackers can clone your identity and message your contacts to ask for money or personal information.
• Cross-platform targeting: Many services still rely on your phone number for password resets or two-factor authentication. Controlling your number gives criminals leverage over multiple accounts.

How Scammers Exploit WhatsApp — Recent Real-World Examples

1. “Recognize the State of Palestine” Scam

This recent, politically charged campaign spreads through WhatsApp messages that ask users to “recognize the State of Palestine” by clicking a link. In reality, the link led to phishing pages designed to steal login credentials or personal information.

2. “Vote for My Child” Scheme

Bitdefender Labs recently tracked a widespread scam circulating across Europe that uses emotional bait messages asking users to vote for someone’s child in an online contest. Victims who clicked were directed to a phony website that enabled attackers to take over WhatsApp accounts.

3. Fake “Sephora Advent Calendar” Survey Scam

In November 2025, Bitdefender Labs detected a surge of WhatsApp messages promoting a fake Sephora Advent Calendar giveaway. The campaign encouraged users to forward the message to their contacts and click a fraudulent link promising a free advent calendar.

All these scams exploited the credibility of WhatsApp, the visibility of real phone numbers, and the speed at which trust spreads through chat networks.

How Bitdefender Protects You

Phone numbers are part of our digital identity, and they deserve just as much protection as our passwords or emails.

Here’s how Bitdefender helps you stay one step ahead:

• Digital Identity Protection: Monitors your personal data, including phone numbers, across breaches, leaks, and scraping incidents. Alerts you when your info appears online and guides you through remediation.
• Bitdefender Scamio: A free AI-powered scam detector that you can chat with directly on WhatsApp, Facebook Messenger, or the web. Forward suspicious links, messages, or screenshots to Scamio, and it will instantly tell you if they’re safe.
• Bitdefender Mobile Security: Protects your phone against malware, phishing links, and fraudulent apps.

Together, these tools cover both identity monitoring and device-level protection, providing a comprehensive defense against WhatsApp-enabled scams.