According to TheRegister.com, researchers from Austria’s University of Vienna exploited a WhatsApp enumeration flaw to gather personal data from 3.5 billion users in what they’re calling potentially the largest data leak in history. Using a tool built with Google’s libphonenumber, they tested 63 billion phone numbers at a rate of 7,000 per second, confirming active WhatsApp accounts far exceeding the platform’s official “over 2 billion” user count. The researchers collected phone numbers, names, and profile pictures—with 57% of active accounts having profile photos and 29% containing revealing text. Despite operating at this massive scale for two days, they encountered no blocking or effective rate limiting from WhatsApp’s systems.
How the leak worked
Here’s the thing about enumeration attacks—they’re basically the digital equivalent of trying every key on a keyring until one works. WhatsApp‘s “look up by phone number” feature, which has been around for years, became the researchers’ golden ticket. They generated billions of phone numbers systematically and just asked WhatsApp, “Is this number registered?” And WhatsApp happily answered. The crazy part? They were pulling data on 100 million accounts every single hour without hitting any meaningful speed bumps.
Think about that for a second. Most platforms would shut you down after a few hundred suspicious queries. But WhatsApp apparently didn’t notice or care about 7,000 requests per second coming from the same source. It’s like having a bouncer who just waves everyone through without checking IDs.
What was actually exposed
Now, you might be thinking, “It’s just phone numbers and names—how bad could it be?” But the researchers found plenty of sensitive data hiding in plain sight. Profile pictures contained detectable human faces in two-thirds of cases, creating what they called a “reverse phonebook” where you could identify someone from their photo. Even more concerning, the profile text often revealed sexual orientation, political views, drug use, professional email addresses, and links to other platforms like LinkedIn and Tinder.
They even connected phone numbers to government and military officials. And get this—they found millions of active accounts in countries where WhatsApp is officially banned, like China, Myanmar, and North Korea. That’s particularly troubling given the severe consequences people in those countries can face for using banned services.
Meta’s response and timing
So how did Meta handle this bombshell? According to the research paper, it took them nearly a year to provide a meaningful response to the researchers’ multiple tickets. They only got serious after receiving a pre-print of the paper and being notified about planned publication. WhatsApp’s VP of Engineering Nitin Gupta thanked the researchers for their “responsible partnership” and claimed they’d already been working on “industry-leading anti-scraping systems.”
But here’s the real question: Why did it take external researchers to discover this gaping hole in WhatsApp’s defenses? The researchers confirmed that Meta has since implemented effective countermeasures—their same methods now get blocked quickly. Still, it raises concerns about what other vulnerabilities might be lurking undetected.
The broader implications
This isn’t just about privacy—it’s about real-world harm. The researchers warned that these massive phone number databases become reliable targets for spam, phishing, and robocall attacks. They compared it to the 2021 Facebook data scrape and found that half of those phone numbers were still active in their WhatsApp dataset. That means this data has staying power for malicious use.
Look, we’ve seen similar issues with other platforms, but the scale here is unprecedented. When you’re talking about 3.5 billion users—basically half the world’s population—every percentage point represents millions of people. The researchers securely deleted their collected data, but how many malicious actors might have discovered this same vulnerability independently? As one researcher told the BBC, proving security issues exist is easier than proving they don’t.
Basically, this incident shows that even the biggest tech companies can miss glaring security flaws until someone points them out. And when that flaw affects nearly every WhatsApp user on Earth, it’s a wake-up call about how fragile our digital privacy really is.
