WhatsApp security flaw exposed data of 3.5 billion users, study finds
The company stated that the researchers had identified an enumeration technique that exceeded the platform’s intended limits, enabling large-scale scraping of publicly available account information.
ADVERTISEMENT
A major security flaw in WhatsApp exposed the phone numbers of roughly 3.5 billion users worldwide, according to a study by researchers at the University of Vienna. The study stated that the team was able to obtain profile photos for 57 per cent of users affected and access profile text for 29 per cent, highlighting the scale of publicly retrievable information. The researchers added that Meta and WhatsApp had been alerted to the vulnerability as far back as 2017 by an earlier investigation but did not take sufficient action to address the issue for years.
The study said that if malicious actors had exploited the loophole and collected the data, it would have resulted in the largest data leak ever recorded, surpassing even the 2021 Facebook scraping incident that compromised around 500 million user records. The researchers detailed that the exposed dataset included phone numbers, timestamps, profile text, profile images and public keys used for end-to-end encryption, all of which could have had serious consequences for user privacy.
According to the study, the vulnerability was reported to WhatsApp again in April 2025. Researchers said the initial response from the company showed limited urgency, but by October Meta had collaborated with the team to implement a stricter rate-limiting system to close the loophole.
The flaw stemmed from WhatsApp’s basic contact discovery feature, which identifies which contacts in a user’s address book are on the platform. The researchers found that because WhatsApp had no effective rate-limiting in place, the feature could be exploited at scale to scan vast ranges of phone numbers. Once a number was confirmed as active on WhatsApp, the same mechanism could be used to gather any publicly accessible details tied to that account, including profile pictures, status text, device type and linked companion devices.
Meta, in a statement to 9to5Mac, acknowledged the issue and said it appreciated the University of Vienna team’s contribution through its Bug Bounty programme. The company stated that the researchers had identified an enumeration technique that exceeded the platform’s intended limits, enabling large-scale scraping of publicly available account information.
