The internet is currently screaming that 3.5 billion WhatsApp users’ data has been leaked, and of course it has some obvious reasons for you to be concerned. But, before you start deleting the app or thinking some hacker in a dark hoodie has stolen your late-night chats, let’s clear the air, cause the real story is slightly different. It wasn’t a hack; it was a massive "I told you so" moment by some researchers.
Here is the breakdown of exactly what went down, why it happened, and why Meta is currently blushing.
A group of researchers from the University of Vienna didn’t exactly break into Meta’s servers. Instead, they exploited a very basic feature we all use daily: contact syncing. You know how when you save a number, WhatsApp instantly tells you if that person is on the app? Well, these researchers automated that process on steroids.
Using a specific script, they managed to scan over 100 million phone numbers per hour. They successfully identified nearly 3.5 billion active users globally, including about 750 million users right here in India. That’s basically half the country’s data scraped from a single device!
According to their report, they extracted details which included profile pictures, about statuses and phone numbers of people. The strange thing to notice here is; how Meta’s server didn’t find this fishy.
Now, for the plot twist that is actually interesting. This wasn’t a new bug. A tech expert named Loran Kloeze actually warned Meta about this exact loophole way back in 2017.
He explicitly told them that the system could be abused to scrape user data. But Meta apparently argued and ignored the finding. It took this Austrian team doing it on a massive global scale in 2025 for the tech giant to finally acknowledge the loophole.
However, the technique that was used by Loran was not used by the researchers for these findings.
The team of researchers formally reported their findings to Meta back in April 2025. All of this was done through Meta’s "Bug Bounty" program.
Well, they securely deleted the entire dataset after their study was concluded and before they published their findings.
Eventually, they emphasized that the data was collected solely to demonstrate the vulnerability and stress-test Meta's defenses, not for malicious use.
Meta also confirmed in their statement that the researchers had deleted the data.
But, here is the creepy part. What if the data would have fallen in the wrong hands? Because many of us keep our privacy settings on "Everyone" (seriously, why?), the researchers scraped millions of profile photos and 'About' statuses.
Imagine a tool where someone takes a photo of you on the street, runs it through facial recognition, matches it to this database, and boom, they have your private phone number. It’s essentially a "reverse phone book," linking your face directly to your identity.
The good news is that Meta has finally fixed the rate-limiting glitch, so people can’t mass-scan numbers like this anymore. But to be on the safe side, you need to lock your doors.
Do this right now:
Open your WhatsApp(Obviously) > Go to Settings > Privacy > Profile Photo and switch it to "My Contacts". Do the same for your "About" and "Status."
