3.5 Billion Users Exposed: Breaking Down the WhatsApp Data Leak

What Was Exposed?

First, the good news: your private messages were not compromised. WhatsApp's end-to-end encryption remained intact throughout this incident.

However, the researchers were able to collect:

• Phone numbers of active WhatsApp users

• Profile pictures (over 57% of accounts had one publicly visible)

• "About" text descriptions (~29% of users)

• Account timestamps (when accounts were created)

• Public encryption keys used for E2EE

• Whether users were on Android or iOS

• Number of linked devices (like WhatsApp Web)

While this might sound relatively harmless, this combination of data creates a powerful "reverse phonebook" that could be used to identify people from their photos, target users for phishing attacks, or—in some countries—identify people using WhatsApp illegally.

How the Attack Worked (The Technical Bit)

The vulnerability lies in WhatsApp's contact discovery mechanism—the feature that checks your phone's address book against WhatsApp's servers to show you which of your contacts use the app.

Here's the simplified flow:
Your Phone → "Is 555-123-4567 on WhatsApp?" → WhatsApp Server
WhatsApp Server → "Yes, here's their public info" → Your Phone

Normally, this is fine. You're checking a handful of contacts when you install the app. The problem? WhatsApp wasn't limiting how many of these requests you could make.

The researchers' approach:

• Generated phone numbers at scale — Using Google's libphonenumber library, they systematically generated 63 billion possible phone numbers across 245 countries following each country's numbering format.

• Bypassed the official app — Instead of using the standard WhatsApp application, they connected via WhatsApp's underlying XMPP protocol using a reverse-engineered client.

• Queried at massive scale — They sent approximately 7,000 number lookups per second, confirming over 100 million accounts per hour.

• Encountered no resistance — WhatsApp's servers had no effective rate limiting. The researchers wrote that they "did not encounter prohibitive rate-limiting" and were never blocked or warned.

This type of attack is called an enumeration attack—systematically trying every possible value to discover valid ones. It's a well-known vulnerability class, and most platforms defend against it with rate limiting.

Why Did Meta Miss This?

This wasn't exactly a new problem. A Dutch researcher named Loran Kloeze reported a similar issue back in 2017.

When the University of Vienna team reported their findings in April 2025, Meta was slow to respond. According to the researchers, Meta only implemented stricter rate limits in October 2025 — roughly six months later.

Meta's official response emphasized that no malicious actors were found to have exploited this vector and that the research helped "stress-test" their new anti-scraping defences.

Real-World Risks

For most users in Western countries, this exposure primarily increases risk of spam, phishing, and robocalls. But the implications are far more serious for some.

The researchers found active WhatsApp users in countries where the app is banned: 2.3 million in China, 1.6 million in Myanmar, and over 59 million in Iran. In some of these regions, using banned apps can result in detention or worse. This data essentially hands authorities a list of people circumventing restrictions.

The researchers also cross-referenced their findings with phone numbers from the 2021 Facebook data breach and found that 50% of those leaked numbers were still active on WhatsApp—demonstrating how long compromised data remains valuable to attackers.

What You Should Do

• Lock down your profile — Go to Settings → Privacy and set your profile photo, "About," and "Last seen" to "My contacts" or "Nobody."

• Review your About text — Remove any personally identifying information.

• Be sceptical of unsolicited messages — This leak gives scammers verified active numbers to target.

• Consider the username feature — WhatsApp is currently beta-testing usernames as an alternative to phone numbers, which would reduce this attack surface.

The Bigger Picture

This incident highlights a fundamental tension in messaging app design: the features that make apps convenient (like automatic contact discovery) can become massive privacy vulnerabilities at scale. It also demonstrates why responsible security research matters—had this been discovered by malicious actors instead of academics, the consequences could have been severe.

Meta has since patched the specific technique used, but privacy experts warn that any service built on phone numbers will always be an attractive target for enumeration attacks. Until the industry moves beyond phone numbers as the primary identifier, we'll likely see similar incidents again.

Stay safe out there. And maybe go check those privacy settings.