According to TechRepublic, Austrian researchers discovered a major WhatsApp vulnerability that allowed them to map 3.5 billion phone numbers to active accounts worldwide. The team used a reverse-engineered client called whatsmeow to query WhatsApp’s XMPP interface at speeds up to 7,000 numbers per second without encountering prohibitive rate limiting. They confirmed active accounts in countries where WhatsApp is banned, including 2.3 million in China and 59 million in Iran. The exposed data included phone numbers, timestamps, profile pictures, about text, and public encryption keys. WhatsApp VP of Engineering Nitin Gupta called this “basic publicly available information” while acknowledging the company has been tightening anti-scraping defenses. Meta has since applied stricter rate limiting to prevent similar enumeration attacks.
How they pulled it off
Here’s the thing that’s genuinely alarming about this research – they basically used WhatsApp‘s own infrastructure against itself. Instead of hammering the regular app, they went straight to the underlying XMPP protocol using that whatsmeow client. With just five concurrent sessions and a single server, they could blast through thousands of queries every second.
And get this – they expected to hit roadblocks. Rate limiting, warnings, maybe even getting blocked entirely. But nothing happened. The system just kept serving up data like it was business as usual. That’s what makes this so concerning from a security perspective. When researchers can run this kind of large-scale enumeration without triggering any alarms, what could actual malicious actors accomplish?
What the data revealed
The resulting dataset wasn’t just a list of numbers – it became a demographic goldmine. The researchers could see exactly where WhatsApp dominates, which countries prefer Android over iOS, and how many people willingly share personal details through their public profiles. In many regions, over half of users had public profile pictures that could be downloaded at scale.
But the real eyebrow-raiser? They found active accounts in countries where WhatsApp is supposedly banned. China with 2.3 million users, Myanmar with 1.6 million, and even North Korea with 5 accounts. Iran had a staggering 59 million active accounts despite the platform being banned until late 2024. That tells you something about both the service’s reach and the limitations of government restrictions.
Meta’s response
Now, Meta’s official response is… interesting. WhatsApp’s VP of Engineering called this “basic publicly available information” and emphasized that users who set their profiles to private were protected. But let’s be real – when you can systematically map nearly half the planet’s phone numbers to active accounts, that’s more than just “public information.” That’s a surveillance nightmare waiting to happen.
Meta says they’ve since applied stricter rate limiting and that this research helped “stress-test” their anti-scraping systems. They also pointed out that no malicious abuse was detected and that end-to-end encryption kept messages secure. But here’s the fundamental problem: any service built around phone numbers will always be vulnerable to this kind of scraping. The very feature that makes WhatsApp so easy to use – your phone number is your identity – also makes it a massive target.
The bigger picture
So where does this leave us? Well, WhatsApp is testing usernames in beta, which could eventually reduce this risk. But the cat’s already out of the bag when it comes to phone number-based services. The researchers published their full methodology in this detailed paper, so other platforms should be taking notes.
Basically, this incident highlights the tension between convenience and security that plagues all major tech platforms. The features that make services user-friendly often create massive attack surfaces. And while Meta has plugged this specific hole, the underlying architecture problem remains. When your identifier is something as fundamental as a phone number, you’re building your house on shaky ground.
