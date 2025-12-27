A flaw in the system with which WhatsApp identifies contacts in the address book has allowed a group of academics to rebuild a global database of over 3.5 billion active accounts. We are not talking about the content of the messages, which remained protected, but about an enormous amount of personal metadata (phone numbers, profile images, information texts and even elements related to encryption) accessible without exceeding security thresholds or incurring automatic blocks. The vulnerability was identified by a group of researchers from the University of Vienna – Gabriel Gegenhuber, Philipp É. Frenzel, Maximilian Günther, Johanna Ullrich And Alyosha Judmayer – and will be described in detail in a study accepted at the conference NDSS 2026one of the main scientific events dedicated to the security of computer systems. Between December 2024 And April 2025the team analyzed the internal functioning of the “contact discovery” mechanism, i.e. the function that allows WhatsApp to tell us which numbers in our address book are already registered with the service. This process occurs via programming interfaces, so-called APIs, which allow software to automatically query another system.

How researchers extrapolated data from over 3 billion WhatsApp accounts

Through an operation of reverse engineeringi.e. the reconstruction of the functioning of a system starting from its external behavior, researchers have discovered that a specific API could be queried without frequency limits. In simple terms, there was no adequate system in place to limit the number of requests allowed in a certain time frame to prevent abuse. Using a single university server and just five legitimate WhatsApp accounts, the group was able to verify more than 100 million phone numbers per hour! And all this without ever being blocked by the Meta platform.

To make the attack realistic on a global scale, the researchers developed a system capable of generating plausible combinations of mobile phone numbers from 245 countries, for a total of 63 billion potential contacts. These numbers were then verified via the protocol XMPPan open standard for real-time messaging, using a modified open source client called whatsmeow. At maximum speed, the system confirmed approx 7,000 numbers per second as actually registered on WhatsApp.

The result was a dataset of over 3.5 billion accountsin line with the total number of active users declared by the platform. For each account, several elements could be observed. More than half of users globally had a public profile photowith even higher percentages in some areas of West Africa. About a third displayed visible information text, often used as a status, which in some cases contained references to political opinions, religious beliefs, sexual orientation or links to other social networks. Almost 9% were labeled as corporate accountsoften because users had chosen WhatsApp Business without being fully aware of how this choice increases the visibility of some data.

A more technical aspect concerns the cryptographic keys. End-to-end encryption, which protects messages, is based on pairs of cryptographic keys: one public, which is shared, and one private, which is secret. The researchers identified approx 2.9 million cases of anomalous reuse of public keysincluding identity keys and prekeys, which should instead be unique. In extreme cases, such as 20 US numbers associated with a key composed entirely of zeros, the data suggests the use of unofficial clients or faulty implementations, with potential impacts on the integrity of the cryptographic system.

The study also highlights a geopolitical problem: accounts associated with countries where WhatsApp is officially bannedhow China, Iran, Myanmar And North Koreathey turned out easily identifiable. In contexts of government surveillance, the simple identifiability of these users can increase personal risks, even without access to the contents of the conversations (just signing up to WhatsApp constitutes a crime).

Meta was informed of the flaw

Meta was notified via the bug bounty program inApril 2025 and introduced more stringent limits starting from October of the same year, silently correcting the flaw. Regarding the incident, which was very serious to say the least (which fortunately had a happy ending given that the problem was identified by a group of researchers and not by cyber criminals), Nitin GuptaWhatsApp’s vice president of engineering, released this statement:

We are grateful to researchers at the University of Vienna for their responsible collaboration and diligence as part of our bug bounty program. This collaboration successfully identified a new enumeration technique that exceeded expected limitations, allowing researchers to collect publicly available baseline information. We were already working on industry-leading anti-scraping systems, and this study was critical in testing and confirming the immediate effectiveness of these new defenses. It is important to underline that the researchers securely deleted the collected data as part of the study and we found no evidence of malicious actors abusing this vector. Recall that user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption and that researchers did not have access to any non-public data.

The fact remains that the incident represented a very serious event, which the researchers themselves defined as «the largest exposure of phone numbers and associated user data ever documented” and which, according to them, would represent on balance «the largest data leak in history, if it had not been carried out as part of responsibly carried out research”.