A group of European researchers quietly demonstrated that WhatsApp’s contact discovery system one of the platform’s most basic convenience features could be weaponized to map billions of phone numbers worldwide. Their findings, gathered over six months and across 245 countries, show how a simple design choice left vast portions of the globe exposed, despite years of warnings to Meta.
A Global Privacy Gap Hidden in Plain Sight
A critical security flaw in WhatsApp has allowed researchers to confirm the active phone numbers of 3.5 billion users, marking what experts describe as one of the most far-reaching data exposures ever recorded. The vulnerability, rooted in the platform’s contact discovery feature, persisted for years even as researchers repeatedly warned Meta, WhatsApp’s parent company, that the mechanism lacked basic protections.
The flaw is embedded in a tool familiar to any WhatsApp user: the system that checks whether a phone number belongs to an active account. But because the tool imposes only minimal rate limits, researchers from the University of Vienna found they could probe vast sequences of global phone numbers at speeds exceeding 100 million queries per hour without encountering meaningful restrictions.
Inside the Enumeration Machine
The researchers’ ability to query billions of numbers was not a technological feat so much as the exposure of a design oversight. WhatsApp’s mechanism, built for convenience, reveals if a number is registered and surfaces public profile details like images, “about” texts, and timestamps whenever a phone number is typed into the app.
For 29.3 percent of users in the dataset, those “about” lines disclosed details that cybersecurity experts consider sensitive: political opinions, religious affiliations, personal mottos, or links to other platforms. The team also uncovered 2.9 million instances of public key reuse, including identity key and prekey collisions that could theoretically weaken end-to-end encryption if misused by sophisticated adversaries running unofficial clients.
One anomaly caught particular attention: roughly 20 phone numbers in the United States appeared to share a public key consisting of all zeroes an indication, researchers said, of either broken implementations or possible attempts at fraud.
The findings underscore risks unique to WhatsApp Business accounts, which made up approximately 9 percent of the exposed entries. These profiles often include extra metadata: shop names, addresses, catalogue previews, and automated contact details that can unintentionally broaden the attack surface for phishing, SIM-swapping, or doxxing.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Meta’s Delayed Response and Years of Warnings
Meta acknowledged the findings through its bug-bounty program in April 2025 and deployed stricter rate limits six months later. Company officials emphasized that messages remained encrypted and that much of the exposed data such as profile names and pictures was already public.
WhatsApp’s vice president of engineering, Nitin Gupta, said the research helped the company “stress-test” emerging anti-scraping measures, adding that investigators found no evidence of malicious exploitation. Researchers confirmed that they had deleted the dataset after completing the study.
Yet their report sharply criticized Meta for the extended lag between early warnings and concrete protections. A variation of the same flaw was flagged to the company in 2017, thew researchers noted, meaning the issue persisted for eight years before being meaningfully addressed.
The exposed information overlaps substantially with earlier leaks, including the 2021 incident in which 500 million Facebook-linked phone numbers appeared on public forums. Nearly half of those accounts remained active on WhatsApp at the time of the new study, compounding risks for targeted scams.
Uneven Risks Across the World
While the findings carry global implications, the dangers are not evenly distributed. In countries where WhatsApp is banned such as China, Iran, and North Korea users often rely on VPNs or secondary devices, creating unique vulnerabilities. Exposure of their phone numbers through enumeration, researchers said, could subject them to surveillance or retaliation.
The team also warned that the enumeration weakness reflects a broader category of risks in modern messaging infrastructure. “Convenience features,” they wrote, can become privacy liabilities when deployed at global scale without strict rate controls. Enumeration is not inherently sophisticated—it is, in their words, “simply the systematic asking of a question that WhatsApp readily answers.”
Cybersecurity analysts urge users to limit what they share publicly on the app: set profiles to private, avoid sensitive information in status texts, and monitor accounts for unusual activity. The researchers argue that while the patch deployed by Meta makes the flaw harder to exploit, the structure of WhatsApp’s discovery system still deserves deeper scrutiny.
