By Neeraj Kapoor 
New Delhi, November 19: For an app that sits on nearly every Indian smartphone, WhatsApp has always felt strangely personal, almost intimate. That is why the revelation that researchers managed to map out 3.5 billion active WhatsApp numbers has landed with a thud in tech circles today. The flaw did not crack encryption or steal chats, but it did something that feels just as unsettling. It showed how a simple feature many of us barely pay attention to can, when pushed hard enough, reveal an astonishing amount of information about people all over the world.
The discovery came from a University of Vienna research team, whose method was simple in theory and staggering in execution. They took WhatsApp’s own contact discovery tool, the same one that quietly checks your address book to see who is on the platform, and pushed it to its limit. Instead of checking a few dozen numbers, they checked tens of billions. And the app answered each time, confirming which numbers were active.
According to Wired, this was enough to compile a data set covering billions of users, including publicly visible profile photos and about texts in many cases. The researchers did not access any private messages. Still, the idea that your number and profile image can be plucked out of the air simply because of a design oversight feels jarring.
A Scraping Operation Hidden In Plain Sight
What makes this situation different from previous leaks is that nothing was “breached” in a dramatic sense. As reported by CyberSecurityNews, the researchers fed roughly 63 billion numbers into the system over the course of several months. WhatsApp’s servers simply replied, over and over, identifying which numbers were real accounts. It was the digital equivalent of knocking on every door in the world just to see who answers.
Once they had that list, the team checked what information each account exposed publicly. Wired reports that more than half of the accounts had profile photos visible to anyone, while close to a third displayed their about text. These are details people tend to forget are public, especially when WhatsApp has long been marketed as a “private” messaging space.
Then came a smaller but worrying revelation from TechXplore. Some accounts appeared to reuse certain cryptographic keys, a practice that can weaken account security. This part of the study has not received the same explosive attention as the number enumeration, but it raises technical questions WhatsApp will have a hard time brushing aside.
The Story Breaks, And The Numbers Hit Home
News of the flaw broke internationally on 18 and 19 November, with 9to5Mac and India Today among the first to detail the scale. Indian-language outlets followed quickly, perhaps because India is WhatsApp’s beating heart. Jagran highlighted the risks for Indian users in particular, noting how verified numbers can make scam attempts more targeted.
And that is really the crux of the worry. While nothing private leaked, the confirmation that a number is actively used on WhatsApp has value. If you are a scammer, you do not need to guess anymore. You know the line is live, and you might even have a face to go with it.
Meta’s Response: A Careful Acknowledgement
Meta, WhatsApp’s parent company, issued a response through 9to5Mac, thanking the researchers for participating in its Bug Bounty programme. The tone was appreciative but measured. Meta said it had already been working on stronger anti-scraping tools and insisted that there was no evidence that malicious actors exploited the flaw in the wild, a point also shared in India Today’s coverage.
The clarification is important, but it does not cancel out the scale of what researchers pulled off. WhatsApp, like most major social apps, sits on a mountain of metadata. And while end-to-end encryption protects messages, metadata sits in a different category, one that can be quietly scraped if the architecture permits.
Why India Feels This More Than Most Countries
More than any other country, India depends on WhatsApp. Families use it, shopkeepers use it, school groups rely on it, and in many small towns, it stands in for email and sometimes even government communication.
That is why this exposure hits differently here. Jagran’s reporting pointed out how easily verified numbers can be fed into phishing systems. Once an attacker knows your number is real and active, they can craft social engineering attempts with far more precision. A profile photo can reveal gender, age, and even profession. An about text can hint at mood or personality. None of it is catastrophic alone, but together it builds a target.
People often forget that WhatsApp profile photos are public unless manually restricted. Many users leave the setting on default, unaware that their image is visible to anyone with their number. When paired with verified account status, that becomes a surprisingly large digital footprint.
Privacy Settings That Most People Ignore
Cybersecurity experts are already urging users in India to take the simplest possible precaution. Change who can see your profile photo. Adjust the visibility of your about text. Consider whether everyone should see your last seen. These settings have existed for years, but they are rarely part of everyday conversations unless something goes wrong.
The flaw will likely push many to rethink how much they reveal by default. While these settings cannot fully prevent enumeration, they can limit how much is attached to your number if someone scrapes it in bulk.
The Policy Angle That May Come Next
So far, the Indian government has not issued a statement, but this disclosure comes as the Digital Personal Data Protection Act begins reshaping the conversation around tech accountability. Even though no private content leaked, the sheer scale of the metadata exposure raises questions regulators may want answered. If a platform assigns numbers as identifiers, how responsible is it for ensuring that large-scale scraping is impossible?
Tech policy experts believe WhatsApp will face scrutiny not just for the flaw itself but for the assumptions built into its system. The question is no longer whether encryption is strong. The real issue is how much information sits outside encryption yet still feels personal to users.
A Reminder Of What Metadata Can Reveal
This incident is not the first to demonstrate how metadata, when aggregated, becomes powerful. A single phone number is not harmful. A list of three and a half billion numbers mapped against profile photos and about texts is another matter. It becomes a directory.
As Wired pointed out, even without message access, a data set like this can be exploited for spam, mass fraud, targeted advertising, or identity-based scams. India, already battling widespread digital fraud, may face a sharper spike if such data sets fall into the wrong hands.
For now, Meta says the issue has been addressed and that stronger anti-scraping measures are already in place. Users will have to take that at face value, at least until outside audits confirm the fix.
What You Should Do Today
For Indian users who want to stay cautious, these steps are practical and immediate:
• Limit profile photo visibility to contacts
• Restrict who can view your about text
• Treat unexpected WhatsApp messages with suspicion
• Avoid tapping on links from unknown numbers
• Keep the app updated
None of these steps can undo the enumeration, but they can narrow the window of additional exposure.
A Bigger Discomfort That Will Linger
The WhatsApp flaw does not shatter trust in the way a message leak would, but it does leave behind an uneasy truth. Even the platforms we trust most have blind spots. And when those blind spots involve billions of accounts, they become global news.
For India, where WhatsApp often feels like a public utility rather than a private corporation’s product, the incident is a reminder to treat even familiar apps with a touch more care. Encryption may keep conversations safe, but the world around those conversations is more visible than most people realise.
Stay ahead with Hindustan Herald — bringing you trusted news, sharp analysis, and stories that matter across Politics, Business, Technology, Sports, Entertainment, Lifestyle, and more.
Connect with us on Facebook, Instagram, X (Twitter), LinkedIn, YouTube, and join our Telegram community @hindustanherald for real-time updates.
Tech writer passionate about AI, startups, and the digital economy, blending industry insights with storytelling.
- Neeraj Kapoorhttps://hindustanherald.in/author/neeraj/
- Neeraj Kapoorhttps://hindustanherald.in/author/neeraj/
- Neeraj Kapoorhttps://hindustanherald.in/author/neeraj/
- Neeraj Kapoorhttps://hindustanherald.in/author/neeraj/
Ananya Sharma and Neeraj Kapoor