“`html

WhatsApp Vulnerability Exposed Data of Over 3.5 Billion Users Worldwide

A meaningful privacy flaw in WhatsApp’s contact discovery mechanism allowed researchers to enumerate data associated with more than 3.5 billion active accounts across 124 countries,highlighting the risks inherent in metadata collection even with end-to-end encryption. Meta, WhatsApp’s parent company, addressed the vulnerability after being alerted by the researchers through responsible disclosure. The findings, initially published as a preprint, are slated for presentation at the NDSS Symposium in 2026.

The vulnerability stemmed from WhatsApp’s system for matching phone numbers from a user’s address book against its database. Researchers discovered that the platform did not adequately limit the rate at which these queries could be made. “Normally, a system should not respond to such a high number of requests in such a short time, particularly when originating from a single source,” explained Gabriel Gegenhuber, a researcher at the University of Vienna. “This behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited number of requests to the server and, in doing so, map user data worldwide.”

The research, conducted by teams at the University of Vienna and SBA Research, forms part of an ongoing effort to understand how design choices in encrypted messaging platforms can inadvertently reveal user metadata.The team was able to query WhatsApp’s infrastructure at a rate exceeding 100 million phone numbers per hour. While the data accessed – public keys, timestamps, phone numbers, and optional profile facts like “about” text and profile pictures – is technically accessible to anyone knowing a phone number, the scale of the query allowed for the mass mapping of this information.

Importantly, researchers emphasized that no message content was accessed or retrieved during the investigation. However, by analyzing the limited data points, they were able to infer additional information about users, including their operating system, approximate account age, and the number of devices linked to their account. Their findings are detailed in a study titled “Hey there! You are using WhatsApp.”

The investigation revealed further insights into WhatsApp’s user base. Researchers identified millions of active accounts in countries where the platform is officially banned, including China, Iran, and Myanmar. Analysis of global distribution patterns showed that Android devices account for 81% of WhatsApp users, while iOS users comprise the remaining 19%. Regional variations were also observed in public profile information.

Adding another layer of concern, the study found that nearly half of the phone numbers included in a widely circulated 2021 Facebook dataset remained active on WhatsApp. This dataset, originating from a 2018 scraping incident, underscores the continued risk of exposure for these numbers to potential misuse, such as scam calls.

In a small number of cases, the researchers also detected instances of cryptographic key reuse across different devices or accounts, potentially indicating the use of unofficial clients or fraudulent activity.

Meta responded to the findings through its Bug Bounty program, collaborating with the research team to address the vulnerability. “We had already been working on anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses,” stated Nitin Gupta, vice President of Engineering at WhatsApp. Gupta confirmed that Meta found no evidence of malicious exploitation of the flaw and that all data