Swiss users also affected Whatsapp gap allows access to billions of user profiles - what you should do now
Viennese researchers discovered a WhatsApp security vulnerability that allows billions of phone numbers to be read in a short space of time. Swiss users are also affected.
No time? blue News summarizes for you
- Viennese researchers discovered a security vulnerability in WhatsApp that allowed them to read 3.5 billion accounts worldwide.
- In addition to phone numbers, they also obtained sensitive metadata such as profile pictures and status information.
- Despite multiple warnings, Meta reacted late and has since introduced protective measures.
You open WhatsApp, enter an unknown number and then see the person's profile picture. It is precisely this function that has a vulnerability: it could be executed as often as desired. Viennese researchers took advantage of this - and were able to read more than 100 million phone numbers within an hour without WhatsApp stopping access.
The result: the researchers identified all 3.5 billion active WhatsApp accounts worldwide, including 8.4 million from Switzerland. Even the otherwise rather reserved specialist magazine "Heise" spoke of the "biggest data leak in history".
However, they not only received phone numbers, but also political views, religious beliefs, links to dating profiles and even email addresses of government employees - at least if you have made your profile photo and status public.
For North American numbers, the researchers downloaded 77 million profile photos, which corresponds to a total of 3.8 terabytes of image material. Facial recognition software detected human faces in two thirds of the images. This resulted in a search system in which you either enter a photo to obtain a telephone number or vice versa, as reported by "Heise".
What you should do now
- Protect your account: Activate two-factor authentication (2FA) immediately. This is your most important protection, as criminals need an additional PIN to take over your account.
- Limit visibility: Set your privacy settings so that your profile picture, "Last seen" status and "Info" are ideally only shown to your contacts or no one at all.
- Be vigilant: Be wary of messages from unknown numbers, never click on links from unexpected sources and always keep WhatsApp and your phone up to date.
Fraud networks have become visible
But what if you appear on such a list? You could become the target of spam calls, phishing attempts or scams - because criminals know that these numbers are active.
It is particularly explosive that the researchers discovered 2.3 million active WhatsApp accounts in China, even though the app is banned there. They also found 1.6 million active accounts in Myanmar. It can be life-threatening for these users if the authorities find out about their illegal use.
This also revealed possible fraud networks. In Myanmar and Nigeria, the researchers found WhatsApp accounts with identical security keys, which indicates that several people are using the same profile and thus continuously contacting potential victims.
The data also shows that Around 81 percent of WhatsApp users worldwide use Android. In Switzerland, however, only 43% do - iOS is much more popular here than in other countries.
Meta only reacted much later
Initially, nothing happened for a year. Although the researchers pointed out the problem to Meta several times from September 2024, the company barely reacted: reports were closed as "duplicates" or assessed as "not applicable". Only the announcement of a publication got things moving.
"We would like to thank the researchers at the University of Vienna for their responsible partnership," says WhatsApp manager Nitin Gupta. The collaboration had identified a method that could be used to automatically query millions of phone numbers. However, there is no evidence that this vulnerability has already been exploited by criminals. Additional protection mechanisms have since been introduced.
WhatsApp chats were not affected
The researchers from Vienna nevertheless give users a clear recommendation: they should check what personal information is visible via their profile photo and status text - and, if possible, only share this information with saved contacts.
Importantly, the WhatsApp chats themselves were never compromised. The messenger encrypts messages end-to-end so that outsiders cannot read them. However, the accompanying data - known as metadata - represents an often underestimated risk. The study makes it clear that anyone who collects enough of it can draw an astonishing amount of conclusions about users.
