WhatsApp feature enabled stealth scrape of 3.5 billion user profiles

The 'largest data leak in history'

Researchers have exploited a “long-standing” WhatsApp feature to assemble a database of 3.5 billion user profiles - an exposure they argue rivals the largest leaks ever recorded.

The flaw centred on WhatsApp's phone number-based lookup feature, which allows users to see limited information, such as a name or profile picture, after entering another person's number.

The University of Vienna and SBA Research team found that the feature could be systematically abused for "enumeration," effectively mass-checking numbers to see which were linked to WhatsApp accounts.

Using a custom tool built on Google's libphonenumber library, the researchers rapidly generated and queried 63 billion phone numbers.

At peak speed, they were verifying more than 100 million accounts per hour, without once encountering meaningful rate limits, IP blocks or other restrictions from WhatsApp.

"To our surprise, neither our IP address nor our accounts have been blocked," the researchers wrote [pdf].

"With our query rate of 7,000 phone numbers per second, we could confirm 3.5 billion phone numbers registered on WhatsApp."

More than 57% of the enumerated users had a visible profile picture, and two-thirds of those images contained identifiable human faces.

Roughly 29% of users also had text in their profiles.

Researchers warned that such details, often dismissed as trivial in data breach reports, can reveal deeply sensitive information, including sexual orientation, political affiliations, professional email addresses or links to other accounts such as LinkedIn or Tinder.

Real-world security implications

The team found active WhatsApp accounts linked to phone numbers from countries that ban the app outright, including China, North Korea and Myanmar.

In places where defying state restrictions can lead to detention, the exposure of such activity poses significant personal risks.

They also identified accounts tied to government and military personnel in other nations: data that could be valuable for state-level or criminal actors.

They further noted the more general threat: vast, verified phone lists are a goldmine for spammers and phishers.

Half of the numbers scraped in Facebook's infamous 2021 data incident, they discovered, were still active on WhatsApp, suggesting that such data remains exploitable for years.

Meta fixes the flaw - eventually

Meta, WhatsApp’s parent company, said it has since deployed new anti-scraping defences that blunt the techniques used in the study.

Nitin Gupta, WhatsApp's VP of engineering, acknowledged that the researchers "identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information."

He stressed that WhatsApp's end-to-end encryption was never compromised.

"We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defences," he told The Register.

Gabriel Gegenhuber, a PhD candidate at the University of Vienna and co-author of the paper, confirmed Meta's follow-up actions.

"We supported Meta/WhatsApp with our knowledge in their remediation and retesting process," he said.

"We have tried the exact same steps as for the original study but were blocked swiftly. So, we can confirm there are countermeasures in place now."

However, Gegenhuber noted that Meta took nearly a year to meaningfully respond to their initial disclosures, only accelerating after receiving a pre-print of the team's paper.

"As soon as they realised the extent of the issue, they took it seriously and reacted promptly," he said.