The Critical Risk of Exposed Metadata & AI-Powered Scams
For the technology community and users across the Maltese Islands, this is not a drill. A recent, large-scale investigation uncovered a glaring security gap in the world’s most popular messaging app—WhatsApp.
While we often rely on its end-to-end encryption to protect our chats, researchers from the University of Vienna and SBA Research demonstrated that the app’s fundamental design allowed an external party to systematically harvest data from 3.5 billion active user accounts globally.
This wasn’t a sophisticated hack; it was an enumeration attack that exploited a basic, poorly-protected feature: the ‘contact discovery’ API. In essence, they queried the system at immense scale—up to 7,000 numbers per second—without ever being blocked or rate-limited by WhatsApp’s backend.
The Data Stolen: More Than Just a Number
The exposed information, known as metadata, is far more dangerous than it sounds. For millions of users, the following was confirmed or exposed:
- Confirmed Active Phone Numbers
- Profile Pictures (for over half of the exposed accounts)
- “About” Texts (including potential social media links, nicknames, or location cues)
- Timestamp Data (when the account was last active)
As the researchers noted, had this been exploited maliciously, it would have been the largest data leak in history. For us in Malta, where reliance on WhatsApp is extremely high, this exposure creates several immediate and long-term security headaches.
The New Wave of Threat: AI and The Phone Number
The confluence of this massive data leak with the rise of Generative AI is the major new danger. Scammers are now able to leverage this exposed data for unprecedented, hyper-targeted attacks:
1. The SIM-Swap Attack Accelerator
A phone number is the skeleton key to your digital life. SIM-Swap attacks, which are becoming more common, allow a criminal to steal your phone number by impersonating you at your mobile service provider (GO, Epic, Melita).
- How it Works: The scammer calls the provider, armed with the exposed phone number and other collected metadata (profile picture, name from social media, etc.) to pass basic security checks.
- The Result: Your number is ported to the criminal’s SIM card. They immediately receive all your SMS messages, including the One-Time Passwords (OTPs) needed to log into your email, bank, and WhatsApp account, often resulting in massive financial loss and identity theft.
2. Advanced AI Phishing (Vishing)
The leaked metadata is the perfect ingredient for AI-driven scams:
- Hyper-Personalisation: AI tools can combine your exposed WhatsApp data with information scraped from other breaches or social media to craft highly realistic and personalised messages.
- Voice/Video Scams (Vishing/Deepfakes): With just a few seconds of voice audio—which can be easily collected via other platforms—AI can clone your voice. A scammer can then call your family or contacts via your now-exposed phone number, impersonating you with startling accuracy and claiming an “urgent emergency” requiring a quick bank transfer.
3. Identity Profiling for Future Attacks
Even if you don’t fall victim today, your confirmed phone number is now tied to a confirmed profile. This metadata is permanently valuable for criminals looking to track, target, and sell your identity for years to come.
OSSMalta’s Essential Security Checklist (Actionable Steps)
We can’t change WhatsApp’s past design flaw, but we can drastically reduce our individual risk. These three steps are mandatory for all Maltese WhatsApp users:
1. Harden Your Privacy Settings (Limit Metadata)
Restricting who can see your profile data is your first line of defence against profiling:
| Setting | Path (Settings > Privacy) | Recommended Change | Why? |
| Profile Photo | Profile photo | My Contacts or Nobody | Prevents strangers from confirming your identity for profiling. |
| ‘About’ Text | About | My Contacts or Nobody | Prevents exposure of social links or personal location cues. |
| Groups | Groups | My Contacts | Prevents random numbers from adding you to malicious spam groups. |
2. Activate Two-Step Verification (Your Digital Vault)
This is the single most important defence against SIM-Swap and account takeover.
- Go to Settings > Account > Two-step verification.
- Set a unique 6-digit PIN that you do not use anywhere else. This PIN will be required whenever you register your phone number with WhatsApp. Crucially, this PIN is NOT sent via SMS.
SIM-Swap Prevention: Secure Your Mobile Line with Your Provider
Since the WhatsApp flaw confirmed your phone number is exposed, you need to add a security barrier before a fraudster can impersonate you. This involves asking your provider (GO, Melita, or EPIC) to apply an extra password or PIN to your mobile service account.
This request must be done manually by you.
The Request Template
Use this script when you call or visit a store. Be firm and specific about the security you require.
“I want to add an Account Password (or SIM-Swap PIN) to my mobile account, [Insert Your Mobile Number Here]. This unique PIN must be required and verified before any changes can be made to my account, including SIM replacement, SIM porting, or plan upgrades.”
“I am doing this for security reasons to protect my line against SIM-Swap fraud, which is common after data leaks.”
Maltese Mobile Provider Contact Methods
| Provider | Recommended Action & Contact Details |
| GO | 📞 Call: 8007 2121 / 146 (Customer Care) or Visit any GO outlet. |
| Melita | 📞 Call: 2727 2727 / 100 or Visit a Melita outlet. |
| EPIC | 📞 Call: 137 (landline) 247 (mobile) or Visit any Epic store. |
💡 Pro-Tip: Switching to eSIM. While not a direct countermeasure, switching to an eSIM (Electronic SIM) can make the attacker’s job marginally harder, as transfer requires a new QR code issued directly by the provider, forcing the attacker to pass the stringent security checks (like the PIN you requested above) at a store or over the phone.
The WhatsApp enumeration reminds us that convenience often comes at the expense of security. As a community, we must adopt robust security practices, treating every online identifier—especially our phone number—as highly sensitive data. Stay safe, Malta!
