A flaw in the system with which WhatsApp identifies contacts in the address book has allowed a group of academics to reconstruct a global database of over 3.5 billion active accounts. We are not talking about the content of the messages, which remained protected, but about an enormous amount of personal metadata (phone numbers, profile images, information texts and even elements related to encryption) accessible without exceeding security thresholds or incurring automatic blocks. The vulnerability was identified by a group of researchers from the University of Vienna – Gabriel Gegenhuber, Philipp É. Frenzel, Maximilian Günther, Johanna Ullrich and Aljosha Judmayer – and will be described in detail in a study accepted at the NDSS 2026 conference, one of the main scientific events dedicated to the security of computer systems. Between December 2024 and April 2025, the team analyzed the internal functioning of the “contact discovery” mechanism, i.e. the function that allows WhatsApp to tell us which numbers in our address book are already registered with the service. This process occurs via programming interfaces, so-called APIs, which allow software to automatically query another system.
How researchers extrapolated data from over 3 billion WhatsApp accounts
Through an operation of reverse engineeringi.e. the reconstruction of the functioning of a system starting from its external behavior, the researchers discovered that a specific API could be queried without frequency limits. In simple terms, there was no adequate system in place to limit the number of requests allowed in a certain time frame to prevent abuse. Using a single university server and just five legitimate WhatsApp accounts, the group managed to verify more than 100 million phone numbers per hour! And all this without ever being blocked by the Meta platform.
To make the attack realistic on a global scale, the researchers developed a system capable of generating plausible combinations of mobile phone numbers from 245 countries, for a total of 63 billion potential contacts. These numbers were then verified via the XMPP protocol, an open standard for real-time messaging, using a modified open source client called whatsmeow. At maximum speed, the system confirmed around 7,000 numbers per second as actually registered on WhatsApp.
The result was a dataset of over 3.5 billion accounts, in line with the total number of active users declared by the platform. For each account, several elements could be observed. More than half of users globally had a public profile photo, with even higher percentages in some areas of West Africa. About a third displayed visible information text, often used as a status, which in some cases contained references to political opinions, religious beliefs, sexual orientation or links to other social networks. Nearly 9% were labeled as business accounts, often because users had chosen WhatsApp Business without being fully aware of how this choice increases the visibility of some data.
A more technical aspect concerns cryptographic keys. End-to-end encryption, which protects messages, is based on pairs of cryptographic keys: one public, which is shared, and one private, which is secret. Researchers have identified approximately 2.9 million cases of anomalous reuse of public keys, including identity keys and prekeys, which should instead be unique. In extreme cases, such as 20 US numbers associated with a key composed entirely of zeros, the data suggests the use of unofficial clients or faulty implementations, with potential impacts on the integrity of the cryptographic system.
The study also highlights a geopolitical problem: accounts associated with countries where WhatsApp is officially banned, such as China, Iran, Myanmar and North Korea, were easily identifiable. In contexts of government surveillance, the simple identifiability of these users can increase personal risks, even without access to the contents of the conversations (just signing up to WhatsApp constitutes a crime).
Meta was informed of the flaw
Meta was notified via the bug bounty program in April 2025 and introduced tighter limits starting in October of that year, quietly patching the flaw. Regarding the incident, which was very serious to say the least (which fortunately had a happy ending given that the problem was identified by a group of researchers and not by cyber criminals), Nitin Gupta, vice president of engineering at WhatsApp, released this statement:
We are grateful to researchers at the University of Vienna for their responsible collaboration and diligence as part of our bug bounty program. This collaboration successfully identified a new enumeration technique that exceeded expected limitations, allowing researchers to collect publicly available baseline information. We were already working on industry-leading anti-scraping systems, and this study was critical in testing and confirming the immediate effectiveness of these new defenses. Importantly, the researchers securely deleted the data collected as part of the study, and we found no evidence of malicious actors abusing this vector. Recall that user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption and that researchers did not have access to any non-public data.
The fact remains that the incident represented a very serious event, which the researchers themselves defined as «the largest exposure of phone numbers and associated user data ever documented” and which, according to them, would represent on balance «the largest data leak in history, if it had not been carried out as part of responsibly carried out research”.
