A weakness in WhatsApp’s contact discovery system allowed researchers to detail 3.5 billion phone numbers registered on the platform, along with associated profile photos and “about” text for hundreds of millions of users worldwide.

The exposure, detailed in research from the University of Vienna and first reported by WIRED, highlights the ongoing privacy and security risks of using phone numbers as global identifiers in messaging apps – and raises pressing questions for operators, messaging providers, and regulators across the mobile ecosystem.

How the flaw worked

WhatsApp’s growth has been driven in part by frictionless onboarding: users sign up with a phone number, and the app automatically checks your address book to see which contacts are already on the service.

By allowing users to choose unique usernames, WhatsApp aims to enhance user privacy and provide a more robust discovery mechanism that is less susceptible to mass scraping and enumeration techniques.”

The University of Vienna team showed that this same mechanism could be abused at global scale. By feeding tens of billions of possible phone numbers into WhatsApp’s web-based client, they were able to:

• Identify 3.5 billion valid WhatsApp accounts
• Collect profile photos for ~57% of those numbers
• Collect public “about” text for ~29% of those numbers

Crucially, this was achieved without bypassing protections or exploiting a deep technical vulnerability. The app simply did not sufficiently limit how quickly and how many numbers could be queried: no meaningful rate-limiting was in place for the browser-based interface.

The researchers estimate they could check around 100 million numbers per hour, turning a standard contact discovery feature into a de facto global phone-number census for WhatsApp users.

They describe it as the most extensive exposure of phone numbers and related user data ever documented, noting that if collected by malicious actors instead of academics, it would likely have been framed as one of the largest data leaks in history.

Meta’s response – “basic publicly available information”

The researchers disclosed their findings to Meta (WhatsApp’s parent company) in April 2025 and say they subsequently deleted the dataset. Meta confirmed it has now fixed the enumeration issue by adding stricter rate-limiting and other anti-scraping controls, and said it has no evidence that the technique was abused by malicious actors. The company characterised the exposed data as: “basic publicly available information,” pointing out that data was not collected for users who had tightened their privacy settings, and emphasising that end-to-end encryption of messages was not affected.

Meta maintains it has been rolling out evolving anti-scraping systems over time (including machine learning-based detection and rate limits), but the Vienna team was still able to perform a full-scale global enumeration in 2024–25.

Global exposure – with real-world risks

The dataset highlights not just the scale but the geography of WhatsApp’s exposure:

• United States: Among 137 million US numbers, around 44% displayed a profile photo, and 33% showed public “about” text.
• India: Out of nearly 750 million enumerated numbers, 62% had publicly visible profile photos.
• Brazil: Of 206 million Brazilian numbers, 61% exposed photos.

The researchers also found millions of registered WhatsApp numbers in countries where the app is officially banned, including:

• 2.3 million numbers in China
• 1.6 million numbers in Myanmar

In such jurisdictions, an enumeration capability could be used by state actors to identify and track people using “illegal” communication tools, with potentially severe consequences. Reporting from rights groups and media has previously documented cases where individuals – including Muslims in China – were detained simply for having WhatsApp installed.

At a more everyday level, the exposed data is a goldmine for scammers and spammers, who benefit from:

• A high-confidence list of active mobile numbers
• Visibility into profile photos (for social engineering and impersonation)
• Public “about” text that can help personalise attacks

Phone numbers are not secret identifiers

Beyond rate limits, the Vienna team stresses a more fundamental design issue: phone numbers are a poor choice as the primary identifier for services at global scale.

Phone numbers: they follow predictable patterns (country codes, operator ranges, length, and exist within a finite and enumerable space.  They are also reused and reassigned over time

For a service used by more than a third of the world’s population, relying on phone numbers as both an identifier and a de facto “secret” makes it inherently vulnerable to mass enumeration unless highly effective, constantly maintained anti-scraping defences are in place – and even then, controls can lag behind new techniques.

WhatsApp has started testing a username feature in beta, which could, if implemented carefully, offer a more privacy-preserving alternative to phone numbers as the primary discovery key.

Cryptographic oddities and third-party clients

In a further analysis, the researchers examined the public encryption keys associated with the 3.5 billion accounts as part of WhatsApp’s end-to-end encryption protocol. They observed:

• Numerous instances of duplicate keys shared across multiple accounts
• Some keys reused hundreds of times
• At least 20 US numbers using an all-zero key, an obvious red flag

MEF CEO