I Scanned a QR Code and It Stole My Contacts: What to Do
First, the important part: scanning a QR code alone cannot pull your contacts out of your phone. The realistic risk is that the QR code opened a website or app that asked for contacts permission, or tricked you into logging in somewhere that can sync your address book.
What probably happened
A QR code is just a shortcut to information, usually a URL. It does not have special access to your phone. Contacts become exposed only after another action:
- A website asked for contacts access. Some identity, invite, or "find friends" flows ask your browser for contacts permission. If you tapped Allow, the site may have received contact names, emails, or phone numbers.
- You installed an app after scanning. A fake app can request Contacts permission later. If you allowed it, the app may have uploaded your address book.
- You logged in to a compromised account. Email and social accounts can contain address books. If the QR page stole those credentials, the attacker may use your contacts from that account.
For app-install scenarios, see what to do if a QR code installed an app.
Immediate steps
- Revoke Contacts permission. On iPhone, open Settings, Privacy & Security, Contacts. On Android, open Settings, Apps, choose the app, Permissions, Contacts.
- Uninstall suspicious apps. Remove anything installed after the scan unless you are sure it came from a trusted developer and needed contacts access.
- Change passwords you entered after scanning. Start with email, social, banking, and payment apps.
- Check sent messages. Look for texts, emails, or social DMs that you did not send. If you see them, secure that account immediately.
- Warn close contacts if spam starts. A short warning can stop friends or coworkers from trusting a follow-up scam sent in your name.
Our full recovery guide covers the broader sequence: what to do if you scanned a suspicious QR code.
When to treat it as serious
Treat the incident as higher risk if:
- You tapped Allow on a contacts permission prompt
- You installed an app and granted Contacts, SMS, Accessibility, or Notification access
- Friends received messages from you that you did not send
- You entered email, social, payment, or phone-carrier credentials on the page
If none of those happened, the scan likely did not expose your contacts. Close the page and avoid returning to it.
Frequently asked questions
Can a QR code steal contacts by itself?
No. A QR code can open a URL or other encoded data. Contacts exposure requires a permission grant, app install, or compromised account.
What if people in my contacts received spam?
Secure the account that appears to be sending the messages, change its password, enable multi-factor authentication, and warn the affected contacts not to click links.
Should I factory reset my phone?
Usually no. Start by revoking permissions and removing suspicious apps. Consider a reset only if symptoms continue or a security professional recommends it.
Preview QR links before opening them
QRsafer checks the destination before the page loads, helping you avoid fake permission and app-install flows.
