EN
A new study from the University of Vienna confirmed something every US WhatsApp user hoped would never happen. Criminals can now identify which phone numbers are actively registered on WhatsApp and match them with public profile photos and About statuses. That’s 137 million confirmed US accounts suddenly mapped, labeled and ready for exploitation.
And when 44 percent of those accounts show a public profile photo and 33 percent show a public About text, the data becomes a goldmine for scammers. A valid number plus a face plus a hint of personal detail is all a criminal needs to launch sophisticated social engineering attacks.
Below is what this means for American users today.
In a Nutshell:
• 137 million US WhatsApp numbers were confirmed as active
• 44 percent showed public profile photos and 33 percent had public About texts
• This data fuels SIM swapping, impersonation scams, and targeted phishing
• It also enables political micro-targeting and surveillance
• US users should secure WhatsApp, lock SIM permissions, and hide public profile info
SIM swapping is already a billion-dollar problem in the US. This new trove of confirmed phone numbers gives criminals a frightening head start.
A scammer only needs two things to impersonate you when calling AT&T, T Mobile, or Verizon. A working phone number and a convincing personal detail.
The leak provides both.
With a number confirmed as active on WhatsApp, plus a profile photo and a short About text revealing clues like a first name or city, criminals sound more credible to customer service agents. Once they convince a carrier to transfer your number to their SIM card, they control your calls and texts. That includes SMS based banking codes, crypto account 2FA, and password resets.
In minutes, attackers can drain accounts and lock victims out completely.
Because scammers don’t need to guess anymore. They already know your number is real.
By copying your profile picture and name and contacting your friends with “Hey it’s me, I changed numbers” messages, attackers can launch incredibly convincing WhatsApp impersonation scams.
Example of a Scam Message
Requests for urgent help, quick money transfers, or “I need your verification code” become far more believable when they come from a familiar face.
And it gets worse. US phone numbers in this leak can be cross-matched with old breaches like the 2021 Facebook scraping incident. A scammer might combine your WhatsApp photo with your full name, email, or hometown, then shift channels and attack you through SMS or email with a highly personalized phishing attempt.
Unfortunately yes. In a US election year, confirmed active numbers become a powerful targeting tool.
Political groups or foreign actors can create segmented databases of millions of verified WhatsApp users. They can push tailored misinformation directly into private chats, especially in swing states. WhatsApp’s viral forwarding structure makes this extremely effective at scale.
Even agencies monitoring activists or journalists can use these confirmed numbers to identify if a specific person uses WhatsApp and even which operating system they use. Metadata is tiny but incredibly powerful.
The good news is you can close most of these vulnerabilities with a few changes.
Enable Two-Step Verification on WhatsApp
Open WhatsApp settings then Account then Two-step verification, and create a six digit PIN. This prevents anyone from registering your number elsewhere even after a SIM swap.
Lock Down Your Mobile Carrier Account
Call your carrier and add a Port Out PIN or high security password. This makes unauthorized SIM swaps significantly harder.
Hide Your Public Profile Details
Set your profile photo, About, and Last Seen to My Contacts or Nobody. You remove the social proof that criminals depend on.
Read our guide on how to recover your WhatsApp Account.
FAQs
How did attackers get the 137 million US phone numbers
Researchers used enumeration techniques to confirm which numbers were active on WhatsApp. They did not break encryption but mapped publicly visible metadata.
Does this mean WhatsApp messages are exposed?
No. Messages remain end-to-end encrypted. The risk comes from confirmed phone numbers and public profile data.
Is every US WhatsApp user affected?
Only numbers that were active and had publicly visible details. But the scale is huge enough to matter for everyone.
Can this lead to bank account theft?
Yes. SIM swapping enabled by confirmed numbers and personal details can give criminals access to SMS based banking codes.
Should I stop using WhatsApp?
Not necessary. But you should tighten privacy settings and turn on two-factor protection immediately.
How do I stay ahead of scams like this?
Install the ScamAdviser app for real-time alerts, scam checks, and practical protection tips tailored to trending threats.
Read the full report here
