Researchers from the University of Vienna have identified a critical vulnerability in WhatsApp that enabled the mass collection of users' phone numbers through the contact search mechanism. By utilizing a simple brute-force method via the web version of the service, they were able to access more than 3.5 billion records, essentially a database of most users on the platform. Wired reports this incident.
In addition to phone numbers, researchers managed to download profile avatars for 57% of accounts and public profile text for 29%, as this data is visible to anyone who adds the number to their contacts. The team reported the issue to Meta in April 2025 and deleted the collected database. In October, the company implemented stricter request rate limits to prevent mass checks.
Meta stated that no signs of malicious use of this technique were found, claiming that the reported information was "basic public data." However, the researchers emphasize that they did not bypass any protective mechanisms; such mechanisms simply did not exist. A similar vulnerability was described by another researcher in 2017, but it was never addressed.
The analysis also revealed a significant number of accounts with public information. For instance, among 137 million numbers from the United States, 44% had open photos. In India, where WhatsApp is most popular, this figure reached 62%.
Researchers believe that databases of such scale could be of interest to spam campaigns or governments in countries where WhatsApp is blocked. Among the data collected, they found 2.3 million numbers from China and 1.6 million from Myanmar, which could pose risks for users in these nations.
The team also found repeated cryptographic keys in some accounts, which may indicate the use of unofficial WhatsApp clients, particularly by those engaging in fraudulent activities.
Researchers conclude that the main issue is the use of phone numbers as universal identifiers. They were not designed as private or unique keys, yet in WhatsApp, they serve as the foundation for searching and verifying accounts. Meta is already testing a nickname system as an alternative.