Massive WhatsApp Data Exposure Impacts 75 Crore Indian Users
In a startling revelation that has raised serious privacy concerns, security researchers have successfully scraped phone numbers linked to over 3.5 billion active WhatsApp accounts worldwide, with India bearing the brunt of this exposure. The study, published on November 18, 2025, reveals that approximately 750 million (75 crore) Indian users had their data compromised, making India the most affected country globally.
How Researchers Harvested User Data
The security breach was executed by a team of computer scientists from the University of Vienna in Austria, who exploited WhatsApp's contact-discovery feature. This functionality, which allows users to see if their contacts are registered on WhatsApp, became the gateway for large-scale data harvesting.
The researchers managed to extract publicly displayed profile photos of 62% Indian users, amounting to approximately 46.5 crore people. Beyond photos, the data scraping included other sensitive profile information such as 'About' text, companion-device usage patterns, and business account details.
What makes this discovery particularly alarming is the scale and speed at which the researchers operated. They were able to probe over a hundred million phone numbers per hour without encountering effective blocking or rate-limiting measures from WhatsApp's security systems.
Timing and Legal Implications
These findings emerge at a critical juncture for India's digital privacy landscape, coming just days after the notification of the Digital Personal Data Protection (DPDP) rules. The timing highlights the ongoing challenges in implementing effective data protection measures despite legislative progress.
Under the DPDP Act, 2023, a user's phone number qualifies as digital personal data, and unauthorized processing constitutes a personal data breach. However, the law contains a significant loophole: it does not protect data that users have made publicly available through their privacy settings.
Meta, WhatsApp's parent company, declined to comment on the research findings when approached by The Indian Express. The company has since addressed the vulnerability, implementing stricter rate-limiting measures in October 2025 to prevent similar mass-scale contact discovery attempts.
Potential Risks and Consequences
The exposed data, while seemingly basic, creates substantial privacy risks. According to the research paper, malicious actors could use this information to create facial recognition-based lookup services - essentially functioning as a "reverse phone book" where individuals can be identified through their profile pictures.
The risks extend beyond facial recognition. Profile photos often contain additional sensitive elements such as license plates, street signs, or recognizable landmarks that could enable sophisticated profiling and reveal a user's identity, location, or daily environment.
Although WhatsApp's end-to-end encryption remains uncompromised, the exposure of basic user details creates significant vulnerabilities. The researchers first alerted WhatsApp about their findings in April 2025, suggesting that other actors might have exploited the same technique during the intervening months.
Protecting Your WhatsApp Privacy
Users concerned about their privacy can take several protective measures. WhatsApp currently allows users to restrict who can see their profile information through privacy settings. Users can choose to make their profile details accessible only to their contacts or to nobody.
For those seeking alternatives, privacy-focused messaging apps like Signal offer additional protection features. Signal allows users to create unique usernames instead of sharing phone numbers and provides options to hide phone numbers from other users.
WhatsApp has stated that it's implementing various defenses against scrapers, including rate-limiting and machine-learning techniques to identify and ban malicious actors. The company claims to have found no evidence of malicious actors abusing this particular data scraping method.
As India continues to be WhatsApp's largest market with over 700 million monthly users, this incident underscores the critical need for robust digital privacy practices and continuous security improvements from technology platforms.
