WhatsApp usernames already raise red flags regarding impersonation


WhatsApp this week I started rolling out username reservations Ahead of a wider launch planned for later this year. The feature — which lets people find and message each other by ID rather than phone number — is already raising impersonation concerns, and is under scrutiny from security experts and regulators in India, the app’s largest market, with more than 500 million users.

This rollout represents a shift in how people introduce each other on WhatsApp. Instead of relying on phone numbers as a primary identifier, users will increasingly interact through usernames managed by the platform, a change that Meta says improves privacy, but critics say could create new opportunities for impersonation.

In early tests, TechCrunch found that usernames that resemble prominent politicians, celebrities, business figures, and public organizations — including “indiamodi,” “shahrukh.actor,” “teamamitabh,” “ambanijio,” and “rbi_verify” — were still available for reservation. These include Indian Prime Minister Narendra Modi, Bollywood actors Shah Rukh Khan and Amitabh Bachchan, billionaire Mukesh Ambani’s telecom company Jio, and the Reserve Bank of India, respectively. Separately, Binance founder Changpeng Zhao He said On X he cannot reserve “cz_binance”, which is the handle he is already using on this platform.

When asked how it protects against impersonation, Meta told TechCrunch that it reserves the usernames of public figures, government agencies, and “some variations” of those names so that only the rightful owner can claim them. However, the company did not explain how it decides which similar usernames to proactively reserve and which not.

Concerns have already reached regulators in India, where online fraud schemes exist They often take advantage of messaging platforms To impersonate police, banks and government officials.

In a notice sent to WhatsApp on Wednesday and reviewed by TechCrunch, the Ministry of Electronics and Information Technology (MeitY) said the feature could “significantly increase instances of online fraud, phishing, digital arrests and impersonation attacks” by enabling bad actors to contact users without revealing their phone numbers.

The ministry also warned that usernames could facilitate the impersonation of “individuals, public authorities, financial institutions and government bodies” by allowing usernames that closely resemble the names of real people or organizations. It asked WhatsApp to explain why no regulatory action was taken under IT laws in India, and asked the company not to roll out the feature until consultations were completed.

A senior government official separately told TechCrunch that the Indian IT Ministry is aware of the issue and is engaging with WhatsApp over the feature.

This interference has drawn particular opposition from the New Delhi-based digital rights group Internet Freedom Foundation (IFF), which… He said The notice lacked a clear legal basis and risked giving the executive broad powers to dictate product design. (It’s a dilemma that operators who build in regulated markets know well: rules set on a case-by-case basis, by rhetoric, are harder to plan than rules set in public.)

The group said in a statement, “Impersonation and fraud are real dangers, but they are confronted by applying the criminal law to those who commit them.” “These are not met by MeitY deciding, secretly or via messaging, what features Indians might use.”

He repeats the hadith A Similar observation In a case related to Telegram, the Delhi High Court said that using usernames instead of phone numbers may make it easier to hide a user’s identity and spread illicit content faster. This case was not related to WhatsApp, but the similarity has resurfaced in public discussion as WhatsApp prepares for its own launch.

Privacy, trust, and platform power

Rachel Toback, CEO of SocialProof Security, called usernames a net gain for privacy because they reduce the need to share phone numbers, which can expose users to SIM swapping attacks, phishing, and account takeovers. However, she said similar usernames still create opportunities for impersonation.

“Ultimately, usernames are a great idea to avoid leaking your phone number to people you don’t know, but it’s important to verify identity using the username function as well,” Toback told TechCrunch.

Her advice for most users: Choose a username that can’t be easily guessed, so it’s harder for attackers to find you, cold-message you, or harass and spam you.

Even WhatsApp admits that usernames won’t be one-size-fits-all. In the FAQ to publish On Day X on Wednesday, the company said that most users should choose a unique username for WhatsApp. However, it also allows users to claim their existing Instagram or Facebook usernames by linking their accounts, saying the option is intended to help creators, businesses, and organizations maintain a consistent identity across Meta platforms while reducing impersonation.

The Mozilla Foundation said introducing usernames would likely lead to new trade-offs. “Increasing fraud and impersonation through fake handles is potentially significant,” she told TechCrunch. “Phone number verification can be a useful verification tool, but these harms are also allowed by fundamental design choices of the platform.”

Mozilla also flagged a broader question about interoperability — one worth checking out if you’re building on or competing with the Meta ecosystem. While allowing users to claim existing Facebook and Instagram usernames may reduce impersonation, it also shows how easily Meta can string together an identity across its own apps, even as users can’t transfer that identity, or their contacts, to a competing platform.

For now, WhatsApp says it is taking a gradual approach to the rollout. “We’re taking our time and listening to feedback so we can get it right when it rolls out later this year,” the company said in the FAQ.

When you make a purchase through the links in our articles, We may earn a small commission. This does not affect our editorial independence.

Leave a Reply

Your email address will not be published. Required fields are marked *