A group of cybersecurity researchers from the University of Vienna and SBA Research have discovered a large-scale vulnerability in WhatsApp's contact search mechanism, which allowed the identification of 3.5 billion active accounts worldwide. The findings were immediately reported to Meta, which has taken measures to mitigate the problem, while the pre-publication of the study is now online and the results will be presented in 2026 at the prestigious NDSS conference.
How was the vulnerability discovered?
WhatsApp uses a user's address book to identify other contacts who use the app, based on their phone number alone. The researchers found that the same logic could be used to send more than 100 million requests per hour, verifying the existence of accounts in 245 countries.
"A system shouldn't have to respond to so many requests from a single source. That's what allowed us to map user data globally," explains Gabriel Gegenhuber, the study's lead author.
Essentially, WhatsApp's servers responded to verification requests in an unlimited manner, creating an opportunity for any actor – with sufficient technical capacity – to build a global inventory of users.
What information was revealed?
The accessible data did not include message content. It was the same data that is publicly visible to anyone who knows someone's number:
• phone number
• public keys
• timestamps
• photo and "About" status, if public.
But this minimal amount of data proved sufficient to extract other information:
• operating system (Android or iOS),
• age of the account,
• number of connected devices.
According to researchers, this metadata also shows how vulnerable users' privacy can be when information is analyzed en masse.
Other alarming findings
The study identified important global trends and phenomena:
• Millions of active WhatsApp users were discovered in countries where the platform is banned, such as China, Iran, and Myanmar.
• 81% of global users are on Android, while 19% are on iOS.
• Regional differences in privacy behavior were noted, such as the use of a profile photo or “About” message.
• In some cases, reuse of cryptographic keys was found, a clear signal of the use of unofficial or pirated WhatsApp clients.
• Nearly half of the numbers leaked in the Facebook scandal in 2021 continue to be active on WhatsApp, increasing the risks of scams and unwanted calls.
WhatsApp: messages were secure
Meta emphasizes that the content of the messages, thanks to end-to-end encryption, has always been protected. The vulnerability only affected metadata and public data.
“We have not found any evidence that malicious actors have exploited this technique,” said Nitin Gupta, vice president of engineering at WhatsApp.
He confirmed that Meta has implemented new anti-scraping measures, such as limiting requests and reducing the visibility of public profile information.
All data collected by researchers was deleted before publication.
Why is this study important?
Researchers from Vienna have been tracking the security of instant messaging platforms for years. Previously, they discovered:
• ways to monitor users' online behavior through "silent delivery receipts",
• vulnerabilities in WhatsApp's key distribution ("prekeys").
The new study, "Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy," marks the most important steps in understanding the risks that come from the way messaging services are designed and operate.
“Even the largest and most trusted systems have vulnerabilities that need to be continuously addressed,” says Gegenhuber.
The researchers emphasize that transparency, independent research, and collaboration with industry are essential for protecting the privacy of billions of users who rely on communication platforms every day.
