A massive WhatsApp privacy issue has blown up after researchers from the University of Vienna figured out a way to collect 3.5 billion phone numbers from the app, giving them a near complete access to all of WhatsApp’s 3Bn+ active monthly users. Instead of hacking anything, they simply pushed WhatsAppâs own ‘contact discovery’ feature to its limits, reports Wired. This is the tool that checks your phonebook to see whoâs on WhatsApp, but the researchers automated it at an extreme scale, blasting the system with nonstop number checks. Because WhatsApp did not have strong limits on how fast those checks could be made, the team was able to run tens of millions of lookups per hour. And over time, that let them identify a massive share of WhatsAppâs global user base.
The researchers say the leak was not just about pulling phone numbers – the exposure went way deeper than that. Once they confirmed which numbers were tied to real WhatsApp accounts, they discovered that a significant portion of users had other details publicly visible by default. More than half of the accounts they scanned displayed profile photos, and nearly a third revealed their ‘About’ status text. While these pieces of information might seem harmless at first glance, they can be surprisingly revealing when linked to a verified phone number – offering clues about a personâs identity, demographics, and lifestyle. And in countries with strict surveillance or political tensions, this kind of metadata can have dangerous implications.
The report also revealed that the research team quietly shared their findings with Meta earlier this year, then wiped the massive database they had collected and waited for WhatsApp to step in and fix the issue. Meta eventually pushed out tougher rate limits to stop anyone from blasting the system with automated number checks again. The company stressed that the only info exposed was what users had already made public and insisted that no encrypted chats or private messages were ever in danger.
Even with Metaâs fixes, the researchers say the real issue is WhatsAppâs whole identity system. They spotted millions of accounts in places where WhatsApp is banned, like China and Myanmar, raising fears that governments in those regions could use this kind of loophole to track people and link numbers to real identities.
The researchers also noticed an unusual pattern involving cryptographic ‘pre-keys’, which help set up encrypted chats. They found that some of these keys were reused across multiple accounts – in some cases, hundreds of times. While there is no sign that WhatsApp mishandled its encryption, the team believes this repetition likely comes from people using unofficial or modified WhatsApp apps, which often implement encryption improperly. And such unofficial apps can mess with usersâ privacy and security in ways they never even notice.
The Tech Portal is published by Blue Box Media Private Limited. Our investors have no influence over our reporting. Read our full Ownership and Funding Disclosure â
