WhatsApp usernames are already raising impersonation red flags
Meta wants you to believe usernames are a privacy upgrade. They're not. They're a containment breach waiting to happen, and the company knows it.
This week's rollout — still in limited reservation phase ahead of a broader launch — lets WhatsApp's 2.7 billion users ditch phone numbers for handles. On paper, it's a win: no more handing your digits to a Craigslist seller or a Tinder date. In practice, it's a gift to every scammer, impersonator, and social engineer who's ever dreamed of sliding into your DMs pretending to be your bank, your boss, or the Prime Minister of India.
The evidence is already in the wild. TechCrunch found indiamodi
, shahrukh.actor
, teamamitabh
, ambanijio
, and rbi_verify
all available for reservation. That's the Indian Prime Minister, two Bollywood icons, the country's largest telecom, and its central bank — all up for grabs. Binance founder Changpeng Zhao couldn't even snag cz_binance
, the handle he owns on X. If a billionaire crypto CEO can't protect his own name, what hope does your grandmother have?
The privacy theater
Meta's defense is rehearsed: usernames improve privacy by decoupling identity from phone numbers. It's the same logic that brought us Instagram handles, Facebook vanity URLs, and Twitter's verification chaos. But WhatsApp isn't a social network. It's messaging infrastructure. The mental model users carry — this number is this person — has been hardened by fifteen years of design. Usernames break that model without replacing it with anything verifiable.
Phone numbers have built-in friction. They're tied to SIM cards, KYC requirements, and carrier records. A scammer can burn through numbers, but each one costs money and leaves a trail. Usernames? Free, instant, and disposable. Meta says it's reserving handles for public figures and some variations
— but won't say which variations, how it decides, or what happens when the inevitable collisions occur. That's not a policy. That's a press release.
India's regulator has a point, even if its methods are suspect
India's Ministry of Electronics and Information Technology (MeitY) fired off a notice Wednesday warning the feature could materially increase the incidence of online fraud, phishing, digital arrest scams and impersonation attacks.
They're not wrong. Digital arrest scams — where fraudsters pose as police or customs officials to extort victims — have exploded across India. Removing the phone number requirement doesn't just lower the barrier; it removes the only reliable signal victims have that something's off.
But MeitY's demand that WhatsApp pause the rollout until consultations were completed
carries its own stench. The Internet Freedom Foundation rightly called out the notice's shaky legal basis and the danger of letting the executive dictate product design. This is the same government that pushed traceability mandates threatening end-to-end encryption. Their concern for user safety is real — but so is their appetite for control.
Meta's pattern: ship first, apologize later
We've seen this movie. Facebook's real-name policy. Instagram's verification mess. Threads' missing controls. WhatsApp's own view-once media bypass. Meta consistently treats safety as a PR problem to be managed after launch, not an engineering constraint to be solved before. The username rollout follows the same script: announce a privacy win, downplay the abuse vectors, let regulators and journalists find the holes, then issue a carefully worded statement about ongoing investments.
The company had years to build a verification system that works. Twitter's blue-check chaos proved that verification at scale is hard — but it also proved that no verification is worse. WhatsApp could have tied usernames to government IDs, business registrations, or a decentralized identity layer. It chose none of the above.
The feature nobody asked for
Here's the uncomfortable question: who actually wants this? Power users managing multiple numbers? Maybe. Businesses already have the Business API. Regular users? They've spent a decade memorizing contacts by name, not handle. The username shift serves Meta's platform ambitions — making WhatsApp more like Discord, more like a social graph it can monetize — not user needs.
And that's the tell. If this were truly about privacy, Meta would have built in verification from day one. It would have reserved not just indiamodi
but indiamodi1
, indiamodi_
, pm_modi
, and every other permutation a scammer would try. It would have a public, auditable process for claiming official handles. Instead, it built a land rush and called it a feature.
What happens next
MeitY will likely extract concessions — a pause, a working group, a promised India-first
safety layer. Meta will comply just enough to keep its largest market happy. The feature will launch globally with marginal improvements. Impersonation reports will spike. A few high-profile scams will make headlines. Meta will announce new reporting tools. The cycle completes.
Meanwhile, the fundamental asymmetry remains: creating a deceptive username takes seconds. Proving you're not that username takes weeks of support tickets. Your mother will get a message from sbi_support_official
asking for her OTP. She'll lose her savings. Meta will express regret.
Usernames on WhatsApp aren't a privacy feature. They're an identity vacuum. And Meta just opened the door.