WhatsApp Vulnerability Exposed Billions of User Profiles to Scraping
Vienna, Austria – A team of researchers at the University of Vienna discovered and exploited a significant flaw in WhatsAppS architecture, allowing the enumeration of 3.5 billion user profiles. Meta,whatsapp’s parent company,has since implemented patches to address the vulnerability,which allowed for the mass collection of data despite existing rate limits.
the researchers demonstrated the ability to query WhatsApp servers with phone numbers to determine account availability – a necessary function for legitimate users seeking to connect. However,they found they could probe over 100 million numbers per hour without triggering blocking mechanisms.
“This architecture inherently enables phone number enumeration, as the service must allow legitimate users to query contact availability. While rate limiting is a standard defense against abuse,we revisit the problem and show that WhatsApp remains highly vulnerable to enumeration at scale,” the researchers stated in their published report. “In our study,we were able to probe over a hundred million phone numbers per hour without encountering blocking or effective rate limiting.”
The team developed a method to generate plausible mobile numbers across 245 countries, ultimately analyzing 3.5 billion WhatsApp accounts. This data included phone numbers, timestamps, profile pictures, “about” texts, and end-to-end encryption (E2EE) public keys – creating a massive dataset for ethical study.
Notably,the analysis revealed that approximately half of the 500 million phone numbers exposed in the 2021 Facebook data scraping remain active on WhatsApp,highlighting the long-term consequences of data breaches. The research also uncovered active accounts in regions where WhatsApp is officially banned (China, Myanmar, north Korea, Iran), suggesting the ineffectiveness of those restrictions. Further analysis of encryption keys revealed widespread reuse and potential security flaws, including instances of US numbers utilizing an all-zero private key, perhaps indicating compromised random number generators.
Meta downplayed the severity of the issue, asserting that no messages, contacts, or private data were exposed, and that profile data was only visible if users had set their privacy settings to ”everyone.” the researchers initially reported the vulnerability throughout 2024-2025, with full technical details reaching Meta in August 2025. Mitigations were rolled out beginning in early September, with further protections added in October.
