WhatsApp Bug Allowed Global Enumeration of 3.5B User Accounts, Researchers Warn

A team of researchers from the University of Vienna has uncovered a major security flaw in WhatsApp, which allowed them to scrape data from 3.5 billion user accounts.

 

The researchers explained that the exploit takes advantage of WhatsApp’s contact-discovery feature, which discloses whether a phone number is registered on the platform and exposes publicly visible details—such as profile photos and status messages—whenever a number is entered.

 

Despite expecting WhatsApp to enforce rate limits, the researchers found they could gather account data at extraordinary speed—more than 100 million phone numbers per hour. By leveraging this same mechanism, they tested 63 billion automatically generated phone numbers—created with a custom tool based on Google’s libphonenumber—and were able to collect publicly visible user details at scale.

 

“Normally, a system shouldn’t respond to such a high number of requests in such a short time — particularly when originating from a single source.

 

“This behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited requests to the server and, in doing so, map user data worldwide,” said Gabriel Gegenhuber, lead author of the research paper.

 

More than 57% of the active accounts the team identified displayed a profile photo, and about two-thirds of those images included recognisable human faces. According to the researchers, this opens the door to creating a “reverse phone book,” where a person’s face can be linked to their phone number and other associated details.

 

Additionally, roughly 29% of accounts included text in their profile, providing even more information that could be used to assemble a detailed picture of each user.

 

The team also cross-referenced their scraped data with the 500 million Facebook user records leaked in 2021 and found that nearly half of the exposed phone numbers were still linked to active WhatsApp accounts.

 

Meta acknowledged the issue through its bug bounty program in April 2025 and introduced stronger rate-limiting protections in October 2025, emphasising that the scraped information was already publicly visible and that message encryption was never compromised.

 

WhatsApp’s VP of Engineering, Nitin Gupta, said the company was actively developing new anti-scraping defenses and that the researchers’ work helped stress-test those systems. He also noted that Meta found no evidence the vulnerability had been maliciously exploited.