Massive WhatsApp Vulnerability Leaks Phone Numbers Of 3.5 Billion Users

WhatsApp, the world’s most popular messaging app with 3.5 billion active users as of early 2025, has been exposed to a major privacy flaw that allowed researchers to scrape phone numbers and profile data on a massive scale.

Security experts from the University of Vienna and SBA Research discovered this vulnerability by exploiting the app’s contact discovery feature, which checks if phone numbers in a user’s address book are registered on the platform.

By querying WhatsApp’s servers without adequate limits, they enumerated over 3.5 billion accounts across 245 countries, marking what they call the most significant data exposure in history.

This issue persisted despite end-to-end message encryption, highlighting risks in the app’s user discovery.​

The flaw stems from WhatsApp’s architecture, which requires users to query servers by phone number to find contacts. T

his process inherently enables enumeration if not properly restricted. Researchers reverse-engineered WhatsApp’s XMPP-based APIs to build a custom tool that automated these queries at high speed.

Using Google’s libphonenumber library, they generated 63 billion candidate numbers. They probed them, achieving over 100 million checks per hour without triggering blocks.

This bypassed introductory rate limiting, a standard defense that caps requests to prevent abuse.

For each registered number, the tool retrieved details such as profile pictures (if public), “about” text, companion device lists, and even the X25519 public keys used for encryption.

They found key reuse across devices, suggesting insecure implementations or fraud.

Data collection ran from December 2024 to April 2025, yielding insights into user distribution, with high adoption in regions like Western Africa (over 80% in some countries) and surprising activity in banned areas like China (2.3 million accounts).

Technical Breakdown Of The Exploit

At its core, the vulnerability exploits the lack of robust throttling in WhatsApp’s contact lookup endpoint.

When a user uploads contacts, WhatsApp responds with a binary indicator: registered or not, plus optional metadata if privacy settings allow.

The researchers’ script sent HTTP requests mimicking the official client, avoiding detection by distributing queries across multiple IP addresses and sessions.

No authentication beyond a valid session was needed, making it accessible to anyone with basic programming skills.

They started with U.S. numbers, scraping 30 million in 30 minutes, then scaled globally.

This exposed not just numbers but also demographic patterns, such as Android vs. iOS share and account churn rates.

Linking to the 2021 Facebook breach, nearly half of those 533 million leaked numbers remained active on WhatsApp, amplifying long-term risks.

Broader Risks and Resolution

The scraped data poses severe threats, enabling spam, phishing, and targeted attacks by mapping numbers to faces via profile photos.

In oppressive regimes, it could aid surveillance, as seen with 59 million accounts in Iran despite bans.

Cybercriminals might use it for robocalls or impersonation, while advertisers could build shadow profiles.

Researchers responsibly disclosed the issue to Meta in April 2025 under their bug bounty program, leading to stricter rate limiting that now blocks large-scale probes.

WhatsApp confirmed the fix, noting it was a novel technique that exceeded prior limits, but emphasized that no sensitive message content was accessed.

The full findings appear in a preprint on GitHub, set for NDSS Symposium 2026. Users should review privacy settings to limit profile visibility and avoid sharing numbers casually.

This incident underscores the need for proactive defenses in centralized platforms, even with encryption.

Vulnerability Summary Table