
WhatsApp this week began rolling out username reservations ahead of a broader launch planned for later this year. The feature lets people find and message each other using a handle instead of a phone number. Within days, it has triggered serious concerns about impersonation, with security researchers and government regulators in India already pushing back.
India is WhatsApp’s largest market, with over 500 million users. That scale makes what happens there matter far beyond its borders. As TechCrunch reported, early testing found usernames resembling high-profile public figures and institutions were still available to reserve, including handles referencing Indian Prime Minister Narendra Modi, Bollywood stars Shah Rukh Khan and Amitabh Bachchan, billionaire Mukesh Ambani’s telecom brand Jio, and the Reserve Bank of India. Separately, Binance founder Changpeng Zhao said on X that he could not reserve “cz_binance,” the handle he already uses on that platform.
The core tension here is not a simple one. Moving away from phone numbers as the primary identifier gives users a real privacy benefit. But it also opens a door that bad actors will absolutely try to walk through.
Meta says it proactively reserves usernames for public figures, government bodies, and “some variations” of those names so only legitimate owners can claim them. What the company has not explained is how it decides which lookalike usernames get reserved and which do not. That gap is exactly what has drawn scrutiny.
India’s Ministry of Electronics and Information Technology (MeitY) sent a formal notice to WhatsApp on Wednesday. The ministry warned that the feature could:
- Increase online fraud, phishing, and impersonation attacks by allowing contact without exposing phone numbers
- Enable bad actors to pose as individuals, financial institutions, and government agencies using similar-looking handles
- Worsen the existing problem of “digital arrest” scams, where fraudsters impersonate police or officials
The ministry directed WhatsApp to explain why regulatory action should not be taken under India’s IT laws, and asked the company to pause the rollout until consultations were complete.
That intervention has itself drawn criticism. The Internet Freedom Foundation (IFF), a digital rights group based in New Delhi, said the notice lacked a clear legal basis and risked giving the government broad, informal power over product design. “Impersonation and fraud are real risks, but they are met by enforcing the criminal law against those who commit them,” the group said. “They are not met by MeitY deciding, in private and by letter, what features Indians may use.” It is a fair point about process, even if the underlying concern is legitimate.
The debate has echoes elsewhere. In a case involving Telegram, the Delhi High Court noted that usernames instead of phone numbers could make it easier to hide identity and spread harmful content faster. That ruling was not about WhatsApp, but the parallel has resurfaced in public discussion now that WhatsApp is preparing its own launch.
Security experts are split on where the balance falls. Rachel Tobac, CEO of SocialProof Security, called usernames a net privacy gain because they reduce the need to share phone numbers, which can expose users to SIM-swap attacks and account takeovers. But she was clear that lookalike handles remain a real risk. Her advice to users is practical: pick a username that is not easily guessable, so it is harder for attackers to find you or target you with spam.
WhatsApp is also letting users claim their existing Instagram or Facebook usernames by linking accounts. The company says this is meant to help creators, businesses, and organizations keep a consistent identity across Meta’s apps and cut down on impersonation. The Mozilla Foundation pointed out that this move highlights something worth paying attention to: Meta can connect identity across its own platforms with relative ease, even as users still cannot take that identity, or their contacts, anywhere else.
Mozilla also flagged that phone number verification, for all its flaws, is a useful trust signal. Removing it from the equation does not make fraud easier to commit in a technical sense, but it does remove one more friction point that sometimes slows bad actors down.
For now, WhatsApp says it is being deliberate about the rollout. “We’re taking our time and listening to feedback so that when it rolls out later this year we get it right,” the company said in a FAQ posted on X. Whether that careful pace is enough to address the concerns regulators and security researchers have already raised is a question the company will have to answer in the months ahead.