Researchers have uncovered a privacy weakness in WhatsApp that allowed the confirmation of 3.5 billion active accounts simply by checking phone numbers.
A team from the University of Vienna and SBA Research found that WhatsApp’s contact discovery system could be queried at high speed, letting them generate and test 63 billion numbers and confirm more than 100 million accounts per hour. When a number was recognised, the app returned publicly visible details such as profile photos, about texts, and timestamps, with 57 per cent of users showing a profile picture and nearly 30 per cent displaying an about message.
Meta said only public information was accessible, no message content was exposed, and the researchers deleted all data after the study. It added that new rate-limiting and anti-scraping protections are now in place and that there is no evidence of malicious exploitation.
Security experts warned that the incident shows how phone numbers remain a weak form of identity, making large-scale scraping and profiling possible. They stressed that metadata, even without message content, can still be valuable to scammers or organised cyber groups.
Businesses can reduce risk by limiting the personal information staff make visible on messaging apps, reviewing privacy settings, and ensuring employees understand how scraped contact details may be used in targeted attacks.