- WhatsApp has 3.5 billion active accounts exposed to metadata mining risks worldwide
- A contact discovery flaw allowed phone number enumeration on a massive global scale
- Millions of encryption keys were reused across accounts, undermining security assumptions.
WhatsApp users may need to take additional steps to protect their account information following a potentially concerning discovery.
A study by researchers at the University of Vienna revealed that the app’s contact discovery system enabled the collection of a large amount of WhatsApp user data on an unprecedented scale due to insufficient rate throttling on global endpoints.
Investigators were able to collect large amounts of phone numbers, public profile photos, account statement texts, business tags, and information linked to end-to-end encryption keys.
How data was collected at scale
The data set included users from countries where WhatsApp is banned, including China, Iran, Myanmar and North Korea, which could make it possible to identify people in regions with strict state oversight and limited access to encrypted tools.
The research team generated more than 60 billion possible mobile numbers in more than two hundred countries using automated number generation tools.
They then compared each number to WhatsApp servers using reverse engineering protocols.
The method relied on modified open source clients that queried the WhatsApp infrastructure directly rather than through official applications.
The process validated thousands of numbers per second without being blocked, repeating enumeration problems previously documented in 2012 and 2021.
The data collected included timestamps, device information, public encryption keys, and metadata that allowed usage patterns to be mapped across global regions.
There were millions of cases where encryption keys were reused across different accounts despite expectations that each key should be unique.
Some keys were composed exclusively of zeros, suggesting faulty implementations by third-party clients rather than the main application.
In a statement sent to Cyberinsider, Nitin Gupta, vice president of engineering at WhatsApp, said
“We thank the researchers at the University of Vienna for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a new enumeration technique that exceeded our intended limits, allowing researchers to extract basic publicly available information. We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress testing and confirming the immediate effectiveness of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence “from malicious actors abusing this vector. As a reminder, users’ messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and researchers did not have access to any non-public data.”
Meta argued that messages remained protected, but researchers argued that reusing public keys weakens the trust model behind end-to-end encryption.
The company applied stricter fee caps in October 2025 after the disclosure and later addressed a separate issue on Apple devices that allowed unauthorized media recovery.
WhatsApp reached approximately 3.5 billion active accounts by early 2025, placing it among the most used communication platforms in history.
How to stay safe
- Limit what appears in public profile fields and avoid posting links in status messages.
- Use strong passwords and enable two-factor authentication for better account protection.
- Keep your antivirus software updated to detect threats before they affect your account.
- Use identity theft protection services to monitor suspicious activity or data misuse.
- Block unknown contacts and review account activity regularly for unusual behavior.
- Enable a firewall to prevent malicious network access and suspicious connections.
- Avoid unofficial WhatsApp clients and update the official app as soon as possible.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
