- WhatsApp has 3.5 billion active accounts at risk of metadata scraping worldwide
- Contact discovery flaw allowed phone number enumeration on a global scale
- Millions of encryption keys were reused across multiple accounts, challenging security assumptions.
WhatsApp users may need to take additional steps to protect their account information following a potentially concerning discovery.
A study by researchers at the University of Vienna found that the app’s contact discovery system enabled the collection of detailed data on WhatsApp users on an unprecedented scale due to insufficient rate limiting on global endpoints.
Researchers were able to gather massive amounts of phone numbers, public profile photos, account status text, business tags, and information related to end-to-end encryption keys.
How data was collected on a large scale
The dataset included users from countries where WhatsApp is banned, including China, Iran, Myanmar and North Korea, which would potentially identify individuals in regions subject to strict state surveillance and limited access to encrypted tools.
The research team generated over 60 billion possible mobile numbers in over two hundred countries using automated number generation tools.
They then verified each number against WhatsApp servers via reverse engineering protocols.
The method relied on modified open source clients that queried the WhatsApp infrastructure directly rather than through official applications.
The process validated thousands of numbers per second without being blocked, repeating enumeration issues previously documented in 2012 and 2021.
The data collected included timestamps, device information, public encryption keys, and metadata that helped map usage patterns across global regions.
There have been millions of cases where encryption keys were reused across different accounts when each key was expected to be unique.
Some keys consisted of all zeros, suggesting faulty implementations by third-party clients rather than the main application.
In a statement sent to Cyberinsider, Nitin Gupta, vice president of engineering at WhatsApp, said
“We are grateful to the researchers at the University of Vienna for their responsible partnership and diligence in our Bug Bounty program. This collaboration successfully identified a new enumeration technique that exceeded our anticipated limits, allowing researchers to retrieve publicly available basic information. We had previously worked on cutting-edge anti-scraping systems, and this study was instrumental in stress testing and confirming the immediate effectiveness of these new defenses. Importantly, the researchers safely deleted data collected as part of the study, and we found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to researchers.
Meta argued that messages remained protected, but researchers argued that public key reuse weakens the trust model behind end-to-end encryption.
The company implemented stricter rate limits in October 2025 after the disclosure and later fixed a separate issue on Apple devices that allowed unauthorized media fetching.
WhatsApp reached around 3.5 billion active accounts at the start of 2025, placing it among the most used communications platforms in history.
How to stay safe
- Limit what appears in public profile fields and avoid posting links in status messages.
- Use strong passwords and enable two-factor authentication for better account protection.
- Keep your antivirus software up to date to detect threats before they affect your account.
- Use identity theft protection services to monitor suspicious activity or data misuse.
- Block unknown contacts and regularly review account activity for unusual behavior.
- Enable a firewall to prevent malicious network access and suspicious connections.
- Avoid unofficial WhatsApp clients and update the official app as soon as possible.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
