WhatsApp’s Usernames Option Will Assist Limit Data Exposure
WhatsApp’s new usernames feature will assist in limiting data exposure by allowing users to communicate without sharing their phone numbers.
WhatsApp is preparing a major new feature that allows users to connect through unique usernames instead of sharing their phone numbers. This change mirrors popular messaging platforms like Telegram and Signal and is designed to strengthen privacy on the app.
Security Risks Behind Phone Number Identification
A significant security concern prompted this shift, according to Austrian researchers who discovered a vulnerability where automated scripts can scan all possible phone numbers and harvest profile information for billions of WhatsApp users.
This exposed users’ names, profile photos, and status texts, highlighting a privacy gap that had remained unaddressed for years.
Data Scraping Vulnerability Details
As per Wired reporting, Austrian researchers extracted data from approximately 3.5 billion users.
According to Wired:
“For about 57% of those users, they also found that they could access their profile photos, and for another 29%, the text on their profiles. Despite a previous warning about WhatsApp’s exposure of this data from a different researcher in 2017, they say, the service’s parent company, Meta, still failed to limit the speed or number of contact discovery requests the researchers could make by interacting with WhatsApp’s browser-based app, allowing them to check roughly a hundred million numbers an hour.”
Meta’s Response and Continued Risks
Meta has acknowledged this issue and imposed rate controls to slow scraping, but the risk remains. Moving to usernames reduces users’ reliance on phone numbers as identifiers, thus limiting exposure and potential misuse.
While profile information accessible via phone number matching is minimal and message content remains protected by WhatsApp’s end-to-end encryption, the vulnerability could enable the creation of extensive databases used for scams and spam.
Usernames Offer Enhanced Control and Privacy
WhatsApp’s upcoming username system requires handles containing at least one letter, permitting lowercase letters, numbers, periods, and underscores while disallowing usernames beginning with
This feature is seen as a practical step toward safer and more private interactions on the platform, especially in group chats and business contexts where sharing phone numbers can be risky.
Username availability checks and reservation functionality are also being developed to help users secure their preferred handles ahead of launch.
Maintaining Trust and Monitoring Abuse
Meta reports no evidence yet of malicious exploitation of this data exposure but will continue monitoring and enforcing safeguards.
The username rollout represents a proactive measure to fortify user privacy and inhibit abusive data scraping practices, enhancing overall platform security.
WhatsApp has provided SMT with the following statement:
“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information. We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”
Final Thought
This update clearly reflects Meta’s ongoing efforts to protect user privacy. Also, Meta’s continuous efforts in enhancing messaging usability make WhatsApp safer for billions worldwide.
