WhatsApp: Data of almost all Indians in danger, how big is the danger – how to avoid it?

If you suddenly receive a "Hi" from a stranger or a fake job offer on WhatsApp one night, you'll wonder how they got your number. This isn't a small matter. It's quite serious. Imagine if all WhatsApp numbers were made public? In fact, this has actually happened. WhatsApp's entire member directory was being openly sold on the dark web.

Security researchers have said they were successful in scraping the phone numbers associated with more than 3.5 billion active WhatsApp accounts, including approximately 750 million Indian users, the highest number in the world.

The researchers were also able to extract the publicly visible WhatsApp profile photos of 62 percent (or 465 million) Indian users, along with "About" text, companion-device usage, business account information, and other profile details.

These findings are part of a research paper published on Tuesday, November 18th, by computer scientists at the University of Vienna (Austria). The researchers explained how they exploited WhatsApp's contact discovery feature to create this massive dataset.

A WhatsApp user can easily determine whether a mobile number is registered on the platform by simply saving the number to their phone and checking if it appears in their chat list. If the other person hasn't set visibility limits, their profile photo and name are also visible.

The research suggests that the contact-discovery feature can make it easier for users to find and initiate conversations with other users. However, it could be misused to harvest WhatsApp profile data on a large scale using advanced techniques, leveraging the platform's XMPP endpoints.

Of the 3.5 billion accounts, researchers were able to scrape the public profile photos of 57 percent of users. In Brazil, 61 percent of the 206 million WhatsApp-linked numbers found had public profile photos. This is the second highest figure after India.

Rate-limiting is generally considered a standard method to prevent such abuse. However, researchers accused WhatsApp of failing to limit the speed or number of contact discovery requests made through the browser-based app. The paper states, "In our study, we were able to examine over 100 million phone numbers per hour, without any blocking or effective rate-limiting." This was achieved by sending millions of random numbers to WhatsApp servers via a script, which then revealed the details.

The Meta-owned platform reportedly fixed the issue in October and implemented stricter rate-limiting to prevent mass contact discovery. But these findings were first sent to WhatsApp in April 2025—meaning it's possible that other actors may have used the same scraping technique during this time.

Chats are safe, meaning this is scraping, not hacking.

It's important to note that these findings don't prove that WhatsApp's end-to-end encryption has been compromised. However, even basic user information, such as phone numbers, 'About' text, and profile photos, exposed could be used to create large databases of personal information that could identify individuals.

The paper states, "If this data falls into the wrong hands, it could be used to create facial recognition-based lookup services, a 'reverse phone book,' where entering someone's photo could reveal their associated phone numbers and available metadata." It also stated that, "In addition, things visible in profile photos, such as license plates, street signs, or landmarks, can reveal a user's identity, location, or even their daily environment."

According to a report, this data wasn't just collected, but also prepared for sale on the dark web. This means that anyone anywhere in the world can create a list of active phone numbers and use it for scams. Indians recently received video calls from strange numbers like +92, +84, and +62, which is likely due to this. This means that your data may still be available on the dark web.

What does this mean for India?

India is the largest market for Meta and WhatsApp, with over 500 million monthly active users recorded last year. The researchers' discovery comes at a time when the Digital Personal Data Protection (DPDP) rules have been implemented, operationalizing the country's data-protection law, which was passed two years ago.

Under the DPDP Act, 2023, a user's phone number or email address is considered "personal data." The Act defines a "personal data breach" as "any unauthorized processing of personal data or the accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data."

However, the provisions of this Act do not apply to data that users themselves make public. This means that people who keep their profile photos "public" may not be protected under this law. On the other hand, there's still no way on WhatsApp to find and talk to other users without sharing their phone number (though this feature is reportedly in beta).

How to protect yourself?

Signal, a privacy-focused alternative to WhatsApp, added a feature last year that allows users to create a unique username without sharing their phone number. Users can also hide their phone number so that other users can't search for them or start a chat by number—unless they have a username. However, a phone number is still required for sign-up.

On WhatsApp, users can set their profile details to be visible only to contacts or to anyone, and also turn on "silence unknown callers" and two-step verification. WhatsApp also periodically displays in-app reminders to users to review their settings and keep privacy controls enabled. The platform has stated that it is using rate-limiting and machine-learning techniques to prevent scammers.

Wired quoted WhatsApp's Vice President of Engineering, Nitin Gupta, as saying, "We were already working on the best anti-scraping system in the industry, and this study was helpful in stress-testing and confirming the immediate effectiveness of these new defenses." He further added, "We haven't found any evidence of malicious actors abusing this vector."

It's worth noting that Meta has previously been through major scandals like Cambridge Analytica.