A group of researchers from the College of Vienna in Austria has disclosed the main points of a novel enumeration method that allowed them to scrape 3.5 billion WhatsApp accounts. WhatsApp proprietor Meta has rolled out mitigations to stop exploitation of the vulnerability.
WhatsApp, much like practically each main communications app, permits customers to attach with others primarily based on cellphone numbers. When customers attempt to discover their cellphone contacts on WhatsApp, the corporate’s servers are queried to find out whether or not the person related to a selected cellphone quantity is registered.
The College of Vienna researchers discovered a way for enumerating WhatsApp accounts with out being blocked. They generated potential cellphone quantity mixtures and checked which had been registered on the messaging service.
The researchers anticipated to come across charge limiting, however they had been capable of scrape WhatsApp account knowledge at charges of greater than 100 million cellphone numbers per hour.
“Usually, a system shouldn’t reply to such a excessive variety of requests in such a short while — notably when originating from a single supply,” mentioned Gabriel Gegenhuber, lead writer of the analysis paper. “This habits uncovered the underlying flaw, which allowed us to concern an successfully limitless requests to the server and, in doing so, map person knowledge worldwide.”
They enumerated the accounts of all 3.5 billion WhatsApp customers throughout 245 nations. The scraped knowledge included timestamps and public keys, which enabled them to deduce extra knowledge akin to account age, working system, and the variety of linked gadgets.
For a number of the accounts the scraped knowledge additionally included profile footage and textual content added by customers within the ‘about’ part.
The researchers in contrast the obtained data to the five hundred million Fb person data leaked in 2021 and located that just about half of the cellphone numbers uncovered in that leak had been presently related to a WhatsApp account.Commercial. Scroll to proceed studying.
The analysis was highlighted earlier this week by Meta in its bug bounty program report for 2025. The social media big paid out roughly $4 million in bug bounties this yr. Nonetheless, the researchers haven’t disclosed the bounty they acquired and Meta mentioned it’s not disclosing such data with out the researchers’ permission.
“This collaboration efficiently recognized a novel enumeration method that surpassed our supposed limits, permitting the researchers to scrape fundamental publicly obtainable data,” Nitin Gupta, VP of Engineering at WhatsApp, mentioned in an emailed assertion. “We had already been engaged on industry-leading anti-scraping methods, and this examine was instrumental in stress-testing and confirming the instant efficacy of those new defenses.”
“Importantly, the researchers have securely deleted the information collected as a part of the examine, and now we have discovered no proof of malicious actors abusing this vector,” Gupta added.
In response to an inquiry from SecurityWeek, Meta has offered extra necessary clarifications relating to this analysis.
The corporate identified that it’s not correct to explain the researchers’ work as “exposing” or “acquiring” 3.5 billion cellphone numbers. The researchers generated potential quantity mixtures and checked which ones had been registered on the service in a method that “exceeded [WhatsApp’s] supposed limits”.
Meta additionally famous that messages, contacts, or different private knowledge weren’t uncovered. The profile footage and ‘about’ data (that is usually ‘Hey, I’m utilizing WhatsApp’ or a brief textual content or emoji chosen by the person) had been solely accessible within the case of customers who selected to make the knowledge public to ‘everybody’.
WhatsApp supplies privateness controls that allow customers to permit solely contacts to see this data or stop everybody from seeing it.
The researchers mentioned they progressively reported their findings to Meta all through late 2024 and 2025, however the vendor mentioned it solely acquired the technical particulars wanted to totally perceive the problem in August 2025. The corporate mentioned the primary mitigations had been rolled out in early September, and extra measures had been applied in October.
Associated: $1M WhatsApp Hack Flops: Solely Low-Threat Bugs Disclosed to Meta After Pwn2Own Withdrawal
Associated: Ex-WhatsApp Worker Sues Meta Over Vulnerabilities, Retaliation
