WhatsApp security flaw lets experts scrape 3.5 billion user numbers - here's what we know, and how to stay safe

• WhatsApp has 3.5 billion active accounts exposed to metadata scraping risks globally
• Contact-discovery flaw allowed enumeration of phone numbers at a massive global scale
• Millions of encryption keys were reused across accounts, undermining security assumptions

WhatsApp users may need to take extra steps to protect their account information following a potentially concerning discovery.

A study by researchers at the University of Vienna revealed the app's contact-discovery system enabled the collection of extensive WhatsApp user data at an unprecedented scale due to insufficient rate-limiting across global endpoints.

The researchers were able to gather huge amounts of phone numbers, public profile photos, account status text, business tags, and information tied to end-to-end encryption keys.

How the data was collected at scale

The dataset included users in countries where WhatsApp is banned, including China, Iran, Myanmar, and North Korea, potentially making it possible to identify individuals in regions with strict state monitoring and limited access to encrypted tools.

The research team generated over 60 billion possible mobile numbers across more than two hundred countries using automated number-generation tools.

They then checked each number against WhatsApp servers through reverse-engineered protocols.

The method relied on modified open source clients that queried WhatsApp infrastructure directly rather than through official applications.

The process validated thousands of numbers per second without being blocked, repeating enumeration issues previously documented in 2012 and 2021.

Collected data included timestamps, device information, public-facing encryption keys, and metadata that allowed mapping usage patterns across global regions.

There were millions of cases where encryption keys were reused across different accounts despite expectations that each key should be unique.

Some keys consisted entirely of zeroes, suggesting flawed implementations by third-party clients rather than the primary application.

In a statement sent to Cyberinsider, Nitin Gupta, VP of Engineering at WhatsApp, said

“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information. We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”

Meta argued that messages remained protected, but the researchers maintained that public key reuse weakens the trust model behind end-to-end encryption.

The company applied stronger rate limits in October 2025 after disclosure and later addressed a separate issue on Apple devices that allowed unauthorized media retrieval.

WhatsApp reached an estimated 3.5 billion active accounts as of early 2025, placing it among the most widely used communication platforms in history.

How to stay safe

• Limit what appears in public profile fields and avoid posting links in status messages.
• Use strong passwords and enable two-factor authentication for better account protection.
• Keep antivirus software updated to detect threats before they affect your account.
• Use identity theft protection services to monitor for suspicious activity or data misuse.
• Block unknown contacts and review account activity regularly for unusual behavior.
• Enable a firewall to prevent malicious network access and suspicious connections.
• Avoid unofficial WhatsApp clients and update the official app as soon as possible.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.