WhatsApp Introduces Username Feature to Hide Phone Numbers, Enhancing User Privacy
What Happened — WhatsApp began rolling out a new username system that lets users communicate without exposing their phone numbers. The feature, initially limited to a small group of early adopters, includes an optional four‑digit “username key” for added verification.
Why It Matters for TPRM —
- Reduces the risk of phone‑number‑based social engineering attacks on employees and customers.
- Introduces a new identifier that may be linked across Meta platforms, creating cross‑service privacy considerations.
- Requires organizations to update communication policies and vendor‑risk questionnaires to reflect the new contact mechanism.
Who Is Affected — Consumer messaging users, enterprises that rely on WhatsApp Business for customer support, and any third‑party vendors integrating with the WhatsApp API.
Recommended Actions —
- Review internal communication guidelines to incorporate username‑based outreach.
- Assess whether the optional username key should be mandated for inbound contacts.
- Update vendor risk assessments to capture the new identifier and its cross‑platform linkage risk.
Technical Notes — The username must be 3‑35 characters, contain only lowercase letters, numbers, periods, or underscores, and cannot start with “www.” or end with a domain suffix. Messages remain end‑to‑end encrypted; the feature is delivered via a client‑side update, not a server‑side protocol change. Source: Help Net Security