WhatsApp Security Flaw Exposed 3.5 Billion User Phone Numbers

Researchers from the University of Vienna have demonstrated how WhatsApp’s contact discovery feature can be used to collect data on a large portion of the platform’s users.

By running billions of phone numbers through WhatsApp’s web interface, the team identified 3.5 billion valid accounts and gathered associated public-facing data such as profile photos and “About” texts for many of them. The process relied on automating a standard lookup function that was not protected by strong rate limits at the time.

The researchers reported their findings to Meta in April 2025, and rate-limiting controls were introduced in October. Meta acknowledged the issue, stating that no private messages or non-public data were accessed and that user privacy settings were functioning as designed.

The data collection was conducted for research purposes under Meta’s bug bounty program. According to the researchers, however, the lack of technical barriers suggested that similar collection efforts could have taken place undetected.

Why It Matters: The study illustrates how a standard platform feature can be used to gather large volumes of user data when safeguards such as rate limits are not in place. Even if the data is public by default, the ability to compile it across an entire user base changes how that data can be used and distributed.

• Automated Lookups Revealed Billions of Accounts: The researchers developed a method to enter phone numbers into WhatsApp’s contact discovery system, which responded by confirming whether an account existed. In many cases, this response included profile images and “About” texts. The team was able to scan approximately 100 million numbers per hour using WhatsApp’s web interface, ultimately identifying 3.5 billion registered accounts.

• Similar Issue Reported in 2017: A Dutch researcher identified a comparable method eight years earlier and described how it could be used to collect user metadata. Meta responded at the time by pointing to user-controlled privacy settings and did not classify the finding as a security vulnerability. The Vienna researchers reported that those settings did not prevent mass enumeration and that technical restrictions, such as rate-limiting, were not enforced until 2025.

• Data Visibility Varied by Country and User Preferences: Public profile data appeared in different proportions depending on the region. In India, 62% of accounts showed profile photos, while Brazil had a similar rate at 61%. In the United States, 44% of users displayed photos and 33% included visible “About” texts. The study also identified millions of WhatsApp users in countries where the app is restricted or banned, including 2.3 million in China and 1.6 million in Myanmar.

• Encryption Key Findings Linked to Third-Party Clients: The researchers also examined the cryptographic keys used in WhatsApp’s end-to-end encryption system. They found duplicated keys and some set to all zeroes, which they believe originated from unofficial WhatsApp clients. These clients may not generate keys properly, potentially affecting the security of affected accounts. The keys in question appeared most often in accounts that also showed signs of being used for spam or fraud.

• Meta Introduced Controls Following Responsible Disclosure: After receiving the researchers’ report, Meta introduced rate-limiting measures and anti-scraping protections in October. The company credited the research with helping test the effectiveness of new defenses and stated that no non-public information was at risk. The researchers noted that their access had not triggered any defenses and that others could have used similar techniques without detection in the past.

Go Deeper -> A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers – WIRED

Meta Expands WhatsApp Security Research with New Proxy Tool and $4M in Bounties This Year – The Hacker News