WhatsApp this week began holding username reservations ahead of a wider rollout planned for later this year. The feature – which allows users to find and message each other with a handle instead of a phone number – is already raising concerns about impersonation, drawing scrutiny from security experts and regulators in India, the app’s biggest market, with more than 500 million users.
The launch marks a change in the way people recognize each other on WhatsApp. Instead of relying on phone numbers as a primary identifier, users will increasingly interact through platform-managed usernames, a change that Meta says improves privacy, but critics argue could create new opportunities for impersonation.
In early tests, TechCrunch found that usernames resembling prominent politicians, celebrities, business figures, and public institutions — including “indiamodi,” “shahrukh.actor,” “teamamitabh,” “ambanijio,” and “rbi_verify” — were still available for booking. These refer to Indian Prime Minister Narendra Modi, Bollywood actors Shah Rukh Khan and Amitabh Bachchan, billionaire Mukesh Ambani’s telecom company Jio and the Reserve Bank of India, respectively. Separately, Binance founder Changpeng Zhao he said to X that he could not reserve “cz_binance”, the handle he already uses on this platform.
Asked how it protects against impersonation, Meta told TechCrunch that it reserves usernames for public figures, government entities and “certain variations” of those names so that only the rightful owner can claim them. The company didn’t explain, however, how it decides which similar usernames are proactively blocked and which aren’t.
Concerns have already reached regulators in India, where cyber fraud schemes exist messaging platforms are often exploited impersonate the police, banks and government officials.
In a notice sent to WhatsApp on Wednesday and reviewed by TechCrunch, the Ministry of Electronics and Information Technology (MeitY) said the feature could “significantly increase the incidence of online fraud, phishing, digital capture scams and impersonation attacks” by allowing bad actors to contact users without revealing their phone numbers.
The ministry also warned that usernames could facilitate the impersonation of “natural persons, public authorities, financial institutions and government agencies” by allowing usernames that closely resemble those of real people or organizations. It directed WhatsApp to explain why regulatory action should not be taken under India’s IT laws and asked the company not to roll out the feature until consultations are complete.
A senior government official separately told TechCrunch that India’s IT ministry is aware of the issue and is working with WhatsApp on the feature.
That intervention prompted its own push from the New Delhi-based digital rights group Internet Freedom Foundation (IFF), which he said the announcement lacked a clear legal basis and risked giving the executive branch broad powers to dictate product design. (It’s a dilemma that operators building in regulated markets know well: Rules that are created on a case-by-case basis, by letter, are harder to design than rules that are openly enacted.)
“Impersonation and fraud are real risks, but they are addressed by enforcing the criminal law against those who commit them,” the group said in a statement. “They are not met by MeitY to decide, privately and by letter, what features Indians may use.”
The discussion resonates a similar observation the Delhi High Court made a case involving Telegram where the court said that using usernames instead of phone numbers could make it easier to hide users’ identities and spread illegal content faster. That case wasn’t about WhatsApp, but the parallel has resurfaced in the public debate as WhatsApp prepares its own launch.
Privacy, trust and platform power
Rachel Tobac, CEO of SocialProof Security, called usernames a net privacy win because they reduce the need to share phone numbers, which can expose users to SIM-swapping attacks, phishing and account takeovers. However, he said, similar usernames still create opportunities for impersonation.
“Ultimately, usernames are a great idea to avoid leaking your phone number to people you don’t know, but it’s important to verify identity with the username feature as well,” Tobac told TechCrunch.
Her advice for most users: Choose a username that’s not easily guessed, so it’s harder for attackers to find you, cold message you, or harass and spam you.
Even WhatsApp acknowledges that usernames will not be uniform. In a FAQ was posted at X on Wednesday, the company said most users should choose a username unique to WhatsApp. However, it also allows users to claim their existing Instagram or Facebook usernames by linking their accounts, saying the option is intended to help creators, businesses and organizations maintain a consistent identity across Meta’s platforms while reducing impersonation.
The Mozilla Foundation said the introduction of usernames is likely to bring new compromises. “Increased fraud and impersonation from fake handles is potentially big,” he told TechCrunch. “Checking a phone number can be a useful verification tool, but these vulnerabilities are also enabled by the platform’s fundamental design choices.”
Mozilla also pointed to a broader question of interoperability — one worth capturing if you’re building on or competing with the Meta ecosystem. While allowing users to claim their existing Facebook and Instagram usernames can reduce impersonation, it also shows how easily Meta can blend identity into its own apps, even when users still can’t transfer that identity or their contacts to a rival platform.
For now, WhatsApp says it’s taking a phased approach to the rollout. “We’re taking our time and listening to feedback so that when it launches later this year we get it right,” the company said in its FAQ.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
