WhatsApp security flaw exposed millions

A recent academic study revealed a security flaw in WhatsApp that allowed automated checks to be carried out to see if billions of phone numbers were registered on the platform, as well as linking them to public profile information.

The analysis, carried out by European specialists, showed that using the web version, it was possible to check millions of number combinations without effective blocking for several months. Under these conditions, they were able to confirm 3.5 billion phones registered with the service and, in many cases, access publicly visible profile photos and texts. Although each user defines what they share, the possibility of obtaining this information on such a scale represents a high risk.

What went wrong in the system design

The root of the problem was the reliance on the phone number as the unique identifier for each account. By repeating millions of automatic queries on the search tool, researchers were able to reconstruct massive profiles without breaking end-to-end encryption.

Consequences for users and businesses

This security breach in WhatsApp opens the door to various threats, especially social engineering. With a phone number and other visible profile data, it is much easier to launch phishing campaigns, personalized scams, or identity theft.

Another point of concern is the permanence of the information's value. Much of the data collected remains active years later, allowing it to be combined with other leaks and generate more accurate profiles in the future.

Official response and corrections applied

The information was reported to Meta, the company that owns WhatsApp, which subsequently implemented stricter limitations to prevent mass queries from the web version.

However, the case reopens the debate on the use of phone numbers as a basis for digital identification and the need to strengthen control and privacy measures from the design stage.

Lessons for Mexico and cybersecurity

Although the case originated in Europe, it serves as a clear reference for Mexico, where WhatsApp is one of the main tools for personal and business communication. If a local attacker were to replicate this type of automation before controls were in place, they could build massive databases for targeted fraud campaigns, digital extortion, doxxing, or attacks on companies.

For Mexican users, organizations, and public administrations, it is necessary to strengthen profile protection by limiting visible information, verifying sensitive requests through alternative channels, and adopting stricter internal policies to prevent abuse.

What users can do

In the absence of alternative identifiers within the system, some immediate actions can reduce risks:

• Limit profile photos and status data to “My contacts” or “Nobody.”

• Avoid posting personal or work information or sensitive links in your status.

• Confirm urgent requests by other means before responding.

• Keep as little public information visible as possible.

This episode shows that even features designed to facilitate the user experience can become a conduit for large exposures of information when exploited in an automated manner.

At Cyberpeace, we emphasize the importance of strengthening digital literacy and staying up to date on new threats. Timely information and prevention are key to protecting your data and privacy. Want to continue learning about cybersecurity? Follow us on social media and stay up to date.

• LinkedIn 

• Facebook 

• Instagram 

• X 

• YouTube