Researchers at the University of Vienna disclosed a critical vulnerability in WhatsApp that could have allowed malicious actors to scrape data related to an estimated 3.5 billion accounts. Meta has since patched the flaw to prevent this mass enumeration technique.
Phone Number Enumeration at Scale
The vulnerability stems from the platform’s contact discovery architecture. Users naturally discover contacts by querying WhatsApp servers with phone numbers, which inherently enables phone number enumeration. While standard rate limiting is the typical defense against this kind of abuse, the researchers developed a method that bypassed these controls.
The team reported that they were able to probe over one hundred million phone numbers per hour without encountering effective rate limiting or being blocked, confirming the platform’s high vulnerability to enumeration at scale.
To conduct their ethical study, researchers developed a technique to generate plausible mobile numbers for 245 countries, narrowing the global candidate pool to 63 billion. They then analyzed 3.5 billion WhatsApp accounts, creating one of the largest ethically studied datasets. The analysis included information such as phone numbers, timestamps, profile pictures, "about" texts, and E2EE public keys.
Long-Term Impact and Data Insights
By comparing their findings to the 2021 Facebook scraping incident, which compromised 500 million entries, the team discovered that nearly half of those numbers remain active on WhatsApp, illustrating the long-term impact of data leaks.
The analysis provided a population census, revealing insights into account activity, device types, operating system shares, and profile usage. This study highlighted the platform’s data visibility, despite its use of end-to-end encryption (E2EE) for messages.
The researchers also identified active accounts in regions where WhatsApp is officially banned, such as China, Myanmar, North Korea, and Iran, demonstrating the ineffectiveness of geographic bans. Technical analysis of the X25519 keys also revealed extensive reuse and repeated one-time prekeys across devices, suggesting potentially insecure implementations or issues with non standard software.
The researchers reported the issue to Meta gradually between 2024 and 2025. Meta acknowledged the issue but initially attempted to downplay the problem, stating that no messages, contacts, or private data were exposed and that profile details were only visible if users set them to "everyone." Meta began implementing mitigations in early September 2025, with further protections added in October.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
