- WhatsApp has 3.5 billion active accounts exposed to metadata scraping risks globally
- Contact discovery bugs allowed enumeration of phone numbers on a massive global scale
- Millions of encryption keys were reused across accounts, undermining security assumptions
WhatsApp users may need to take extra steps to protect their account information after a potentially worrisome discovery.
An investigation by researchers at the University of Vienna revealed that the app’s contact discovery system enabled the collection of extensive WhatsApp user data on an unprecedented scale due to insufficient speed throttling across global endpoints.
The researchers were able to collect vast amounts of phone numbers, public profile pictures, account status text, company brands and information linked to end-to-end encryption keys.
How the data was collected at scale
The dataset included users in countries where WhatsApp is banned, including China, Iran, Myanmar and North Korea, potentially making it possible to identify people in regions with strict state surveillance and limited access to encrypted tools.
The research team generated over 60 billion possible mobile numbers across more than two hundred countries using automated number generation tools.
They then checked each number against WhatsApp servers through reverse protocols.
The method relied on modified open source clients that queried WhatsApp infrastructure directly instead of through official applications.
The process validated thousands of numbers per second without being blocked, replicating enumeration problems previously documented in 2012 and 2021.
Collected data included timestamps, device information, public-facing encryption keys, and metadata that allowed mapping of usage patterns across global regions.
There were millions of cases where encryption keys were reused across different accounts despite expectations that each key should be unique.
Some keys consisted entirely of zeros, indicating faulty implementations by third-party clients instead of the primary application.
In a statement sent to Cyberinsider, Nitin Gupta, VP of Engineering at WhatsApp said
“We are grateful to researchers from the University of Vienna for their responsible partnership and diligence under our Bug Bounty program. This collaboration has successfully identified a new enumeration technique that exceeded our intended limits, allowing the researchers to scrape basic publicly available information. We had already worked on industry-leading anti-scraping systems, and this study was instrumental in the new media’s effectiveness and confirmed that it was effective. It is important that the researchers safely deleted the data collected as part of the investigation, and we found no evidence of malicious actors abusing this vector.As a reminder, user messages remained private and secure thanks to WhatsApp’s standard end-to-end encryption, and no non-public data was available to the researchers.
Meta claimed that messages remained protected, but the researchers maintained that public key reuse weakens the trust model behind end-to-end encryption.
The company applied stronger rate limits in October 2025 after publication and later addressed a separate issue on Apple devices that allowed unauthorized media downloads.
WhatsApp reached an estimated 3.5 billion active accounts by early 2025, placing it among the most widely used communication platforms in history.
How to stay safe
- Limit what appears in public profile fields and avoid sending links in status messages.
- Use strong passwords and enable two-factor authentication for better account protection.
- Keep antivirus software up to date to detect threats before they affect your account.
- Use identity theft protection services to monitor for suspicious activity or misuse of data.
- Block unknown contacts and review account activity regularly for unusual behavior.
- Enable a firewall to prevent malicious network access and suspicious connections.
- Avoid unofficial WhatsApp clients and update the official app as soon as possible.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
