editorially independent. We may make money when you click on links
to our partners.
Learn More
A newly uncovered WhatsApp security flaw may have exposed data from every one of the platform’s 3.5 billion users — making it what researchers are calling the largest data leak of its kind.
The vulnerability, which allowed attackers to enumerate user accounts at extraordinary scale, required no advanced hacking techniques and exploited a long-standing gap in WhatsApp’s contact discovery feature.
“On the surface, WhatsApp’s API appeared to expose only limited information — a phone number, a timestamp, and a public key. While none of these elements seem individually sensitive, that assumption is flawed,” said Omer Tal, Director of Innovation and Research in the CTO Office at Seemplicity.
Tal further explained “Even seemingly benign data can hold significant value for malicious actors. In this case, a timestamp can reveal whether a phone number is active, and patterns in the public key may allow attackers to infer additional details, such as account age or even the operating system in use.”
He also emphasized the scale of the exposure, noting, “It’s also important to recognize the scale of this incident. Collecting small pieces of data from a few devices is one thing; scraping information tied to 3.5 billion phone numbers, nearly one-third of the global population, is something else entirely.”
Tal concluded by stressing Meta’s responsibility in the incident: “The core issue is Meta’s responsibility. As a company that holds vast amounts of data on billions of people worldwide, even the smallest data elements must be safeguarded with extreme care. Meta has an obligation to ensure that vulnerabilities like this cannot be exploited, and that the trust users place in their platforms is protected.”
When Basic App Functions Turn Into Security Risks
The flaw highlights how even basic app features — such as checking whether a phone number is registered — can be weaponized when rate limits and anti-automation controls are insufficient.
The researchers demonstrated that attackers could confirm account ownership, view profile photos, and extract profile text from billions of users, creating opportunities for phishing, harassment, surveillance, and large-scale social engineering.
How Researchers Scraped 3.5 Billion WhatsApp Accounts
The researchers tested WhatsApp’s contact discovery mechanism using WhatsApp Web.
By bulk-loading phone numbers generated through a tool built with Google’s libphonenumber, they were able to submit queries at a rate of more than 100 million numbers per hour — without encountering blocking or meaningful rate limiting.
According to the researchers, WhatsApp imposed no meaningful blocking as they submitted 7,000 phone numbers per second, allowing them to verify 3.5 billion accounts.
The data the researchers collected included:
- Phone numbers for all confirmed WhatsApp accounts
- Profile photos for 57% of users (many containing identifiable faces)
- Profile text for 29% of users, which in some cases revealed sensitive personal information
This scaled-up enumeration — essentially a “reverse phonebook” — dramatically increases privacy risks compared to typical, one-off lookups.
Why WhatsApp’s Lookup Feature Became a Risk
The root of the vulnerability lies in unrestricted enumeration, a known security weakness in which an attacker can submit unlimited queries to verify user accounts.
WhatsApp’s lack of strict rate limiting allowed researchers to brute-force billions of numbers without triggering any defensive mechanisms.
While WhatsApp encrypts messages end-to-end, its account discovery feature — designed for convenience — exposes far more data than many users understood.
Profile text sometimes included political views, sexual orientation, drug-related content, links to social media accounts, or professional email addresses.
Researchers also identified millions of active accounts tied to numbers from countries where WhatsApp is banned, such as China and North Korea — information that could put individuals at real personal risk.
Essential Defenses Against Data Enumeration
While WhatsApp has taken steps to address the data scraping vulnerability, organizations and developers must adopt stronger safeguards to protect against similar abuses in the future.
- Review and tighten privacy settings to limit who can see profile photos, status text, and other exposed fields.
- Limit the use of phone numbers as identifiers by supporting alternative authentication methods like app-based IDs or email with MFA.
- Implement strict rate limiting, behavioral analytics, and anomaly detection to block high-volume or automated enumeration attempts.
- Minimize the amount of metadata returned during contact discovery to reduce the value of scraped information.
- Require stronger API authentication, request signing, and proof-of-humanity challenges to prevent unauthorized automated lookups.
- Monitor for distributed or unusual lookup patterns across IPs and sessions to quickly identify scraping activity.
- Conduct regular privacy audits and red-team tests focused on scraping resilience and unintended data exposure.
Strengthening resilience against these types of attacks requires layered controls that combine strong authentication, smarter detection, and proactive privacy controls.
Meta stated that the exposed information was already public based on user privacy settings and emphasized that “user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption.”
Meta also confirmed that the Austrian research team deleted the data after the study.
According to WhatsApp VP of Engineering Nitin Gupta, the company had been working on new anti-scraping systems, and the researchers’ findings “were instrumental in stress-testing” those defenses.
The researchers confirmed that after Meta deployed fixes in October, the enumeration technique was fully blocked.
The Threat Behind Public Data Exposure
This incident underscores a growing challenge in modern app security: platforms designed for frictionless onboarding often create hidden attack surfaces.
Even when only “public” data is exposed, mass enumeration increases harm potential, especially for vulnerable populations like journalists in countries with oppressive regimes.
This risk reinforces why organizations must shift toward a zero-trust approach, where every request is treated as untrusted by default and every data access pathway is intentionally verified and restricted.
