The scale of the leak described by the team from the University of Vienna underscores how perilous an ordinary contact-lookup feature in popular messengers can become. WhatsApp has always emphasized the convenience of adding new people: simply save a phone number, and the service instantly reveals whether that person is registered, along with their name, photo, and portions of their profile. Yet this very simplicity formed the foundation of one of the largest user-data harvests in history—achieved without hacking or bypassing any technical barriers.
The Austrian researchers set out to determine whether automated number-scanning could reveal exactly who uses WhatsApp. Once launched, the process quickly exposed an almost total absence of restrictions. The web version allowed unlimited queries, enabling the team to assemble a database of 3.5 billion numbers—effectively mapping every user of the application worldwide. For nearly 57 percent of these entries, they retrieved profile photos, and for almost a third, text statuses that many people use as brief personal bios.
By the researchers’ own account, this would have been the largest known leak of phone numbers and publicly visible profile elements had the data not been collected solely for academic purposes. They disclosed the issue in the spring and deleted everything, yet the system remained entirely exposed until October, meaning anyone—from spammers to state agencies monitoring dissent—could have carried out the same operation.
Despite Meta’s repeated assurances that it is deploying increasingly effective protections against large-scale data scraping, the Vienna team insists it encountered no meaningful safeguards. They also recalled that this problem had been flagged as early as 2017, when Dutch researcher Loran Klozé demonstrated a method for mass number-checking and showed that it was possible to collect not only profile data but also users’ online-status timestamps. Even then, the company claimed everything operated within “standard privacy settings.”
A comparison of today’s results with those from eight years ago reveals how dramatically the risks have grown. What once involved tens of millions of potentially accessible records now concerns more than a third of the planet’s population—and phone numbers are no longer arbitrary identifiers. Number ranges are finite, making brute-force enumeration inevitable unless strict limits on queries are imposed.
The researchers also examined profile-exposure patterns by country. In the United States, 44 percent of the 137 million collected numbers had open profile photos and roughly a third displayed text statuses. In India, where WhatsApp’s penetration is far higher, 62 percent of the 750 million accounts exposed their images. In Brazil, the figure was similar—61 percent of 206 million profiles. The more ubiquitous the service, the fewer people adjust their privacy settings, widening the pool of users whose images and descriptions remain visible.
A particularly troubling discovery was the presence of millions of numbers from countries where WhatsApp is officially banned. The team found 2.3 million such accounts from China and 1.6 million from Myanmar. Possession of this data could enable local authorities to track individuals circumventing government restrictions—information that in some cases may already have been used as grounds for persecution. Reports from China have noted arrests based solely on evidence of having the app installed.
While analyzing keys used in WhatsApp’s end-to-end encryption protocol, the researchers observed another anomaly: a significant number of repeated values. Some keys appeared hundreds of times, and around two dozen U.S. numbers were associated with a zero key. They suspect these correspond to unofficial third-party WhatsApp clients, widely used in fraudulent operations. This hypothesis is reinforced by the behavior of several accounts with duplicate keys, which clearly resembled tools for scams or automated mass messaging.
The researchers argue that the fundamental issue lies not only in the absence of rate limits but also in WhatsApp’s architectural choice to bind user identity directly to a phone number. Under such a design, the service cannot meaningfully prevent large-scale data harvesting while preserving effortless contact discovery. Meta is already experimenting with alternative internal usernames, and a shift toward this model may become essential for reducing these risks.
The Viennese team emphasizes that their findings highlight the vulnerability of an entire category of services that rely on phone numbers as primary identifiers. Popularity turns such systems into vast reservoirs of accessible personal data, obtainable without any technical intrusion. For a platform with billions of users, safeguarding privacy must hinge not merely on policies and settings, but on stringent technical limits and the abandonment of overly predictable identification schemes.
