‘Largest Data Leak in History’: WhatsApp Flaw Exposed Billions of Users
It began as a small curiosity and ultimately exposed phone numbers for nearly half the planet.
A team of Austrian researchers has uncovered a major weakness in WhatsApp, revealing how a basic contact-lookup function can be exploited to create a global directory of users. By pushing WhatsApp’s contact discovery tool far beyond typical use, the researchers confirmed 3.5 billion active phone numbers linked to WhatsApp accounts.
In the research paper, they noted that the exposure would have been “the largest data leak in history, had it not been collated as part of a responsibly-conducted research study.”
The researchers stated that the data for many accounts “contains phone numbers, timestamps, about text, profile pictures, and public keys for E2EE encryption.” They added that its exposure “would entail adverse implications to the included users.”
How the enumeration worked
Instead of using the standard app, the researchers tapped into WhatsApp’s underlying XMPP interface, using a reverse-engineered client called whatsmeow. With just five concurrent sessions and a single server, they were able to run queries at up to 7,000 numbers per second.
The team first generated possible phone numbers across 245 countries, then checked whether each was active on WhatsApp. The researchers noted that they had expected some pushback, such as blocking, rate limiting, or warnings from WhatsApp, but none occurred.
They wrote that “we did not encounter prohibitive rate-limiting” and completed the sweep without bans or slowdowns. What emerged from the data was essentially a demographic snapshot of WhatsApp’s entire user base.
The study shows where WhatsApp is most popular, which countries rely heavily on Android versus iOS, and how many people publicly expose personal details through their “about” lines or profile photos. In many regions, more than half of users allow their profile picture to be displayed publicly, a detail the researchers used to demonstrate how easy it is to download images at scale.
Even the countries where WhatsApp is banned did not escape detection. The team identified active accounts in China (2.3 million), Myanmar (1.6 million), and North Korea (5), indicating that many people continue to use the platform despite restrictions. In Iran, where WhatsApp had been banned until late 2024, the researchers found more than 59 million active accounts.
Meta responds
In a statement shared with WIRED, Nitin Gupta, WhatsApp’s VP of engineering, acknowledged the issue and stated that the company had already been tightening its anti-scraping defenses. He called the exposed information “basic publicly available information,” saying that users who set their profile details to private were protected.
“We have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers,” said Gupta. He also stated that the company has been developing new anti-scraping protections and that this research helped “stress-test” those systems.
Meta has since applied stricter rate limiting on WhatsApp’s web interface, effectively closing the door on the exact technique used by the researchers.
However, privacy experts warn that any service depending on phone numbers will always be a tempting target for large-scale scraping, especially when simplicity is part of its global appeal. WhatsApp is now testing a username feature in beta that could eventually reduce this risk.
Concerns about WhatsApp’s data exposure echo recent allegations from its former security chief, who says Meta has been ignoring flaws that put billions at risk.
About Author
