- Pro
- Security
Public profile pictures, status texts, and business tags were openly accessible
Comments (0) ()When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock)
- WhatsApp has 3.5 billion active accounts exposed to metadata scraping risks globally
- Contact-discovery flaw allowed enumeration of phone numbers at a massive global scale
- Millions of encryption keys were reused across accounts, undermining security assumptions
WhatsApp users may need to take extra steps to protect their account information following a potentially concerning discovery.
A study by researchers at the University of Vienna revealed the app's contact-discovery system enabled the collection of extensive WhatsApp user data at an unprecedented scale due to insufficient rate-limiting across global endpoints.
- Amazon Black Friday deals are live: here are our picks!
The researchers were able to gather huge amounts of phone numbers, public profile photos, account status text, business tags, and information tied to end-to-end encryption keys.
You may like-
WhatsApp security warning - zero-click bug hits Apple users with spyware, so update now
-
Meta is spending millions on bug bounties and security tools to boost WhatsApp security
-
Samsung phones under threat from this dangerous new spyware cyberattack - here's how to stay safe
How the data was collected at scale
The dataset included users in countries where WhatsApp is banned, including China, Iran, Myanmar, and North Korea, potentially making it possible to identify individuals in regions with strict state monitoring and limited access to encrypted tools.
The research team generated over 60 billion possible mobile numbers across more than two hundred countries using automated number-generation tools.
They then checked each number against WhatsApp servers through reverse-engineered protocols.
The method relied on modified open source clients that queried WhatsApp infrastructure directly rather than through official applications.
Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.The process validated thousands of numbers per second without being blocked, repeating enumeration issues previously documented in 2012 and 2021.
Collected data included timestamps, device information, public-facing encryption keys, and metadata that allowed mapping usage patterns across global regions.
There were millions of cases where encryption keys were reused across different accounts despite expectations that each key should be unique.
You may like-
WhatsApp security warning - zero-click bug hits Apple users with spyware, so update now
-
Meta is spending millions on bug bounties and security tools to boost WhatsApp security
-
Samsung phones under threat from this dangerous new spyware cyberattack - here's how to stay safe
Some keys consisted entirely of zeroes, suggesting flawed implementations by third-party clients rather than the primary application.
In a statement sent to Cyberinsider, Nitin Gupta, VP of Engineering at WhatsApp, said
“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information. We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”
Meta argued that messages remained protected, but the researchers maintained that public key reuse weakens the trust model behind end-to-end encryption.
The company applied stronger rate limits in October 2025 after disclosure and later addressed a separate issue on Apple devices that allowed unauthorized media retrieval.
WhatsApp reached an estimated 3.5 billion active accounts as of early 2025, placing it among the most widely used communication platforms in history.
How to stay safe
- Limit what appears in public profile fields and avoid posting links in status messages.
- Use strong passwords and enable two-factor authentication for better account protection.
- Keep antivirus software updated to detect threats before they affect your account.
- Use identity theft protection services to monitor for suspicious activity or data misuse.
- Block unknown contacts and review account activity regularly for unusual behavior.
- Enable a firewall to prevent malicious network access and suspicious connections.
- Avoid unofficial WhatsApp clients and update the official app as soon as possible.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
TOPICS WhatsApp
Efosa UdinmwenFreelance JournalistEfosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Logout Read more
WhatsApp security warning - zero-click bug hits Apple users with spyware, so update now
Meta is spending millions on bug bounties and security tools to boost WhatsApp security
Samsung phones under threat from this dangerous new spyware cyberattack - here's how to stay safe
WhatsApp usernames are finally coming to boost your privacy – get ready to reserve yours soon
Nearly 180k records exposed in billing platform breach - here’s what we know
Microsoft Teams really could be bad for your (security) health - hackers spoof bosses, send fake messages, and more
Latest in Security
D-Link routers under threat from dangerous flaw - here's how to stay safe
Second-order prompt injection can turn AI into a malicious insider
AI agents are fuelling an identity and security crisis for organizations
US FCC repeals cybersecurity rules aimed at preventing Salt Typhoon-esque attacks
SonicWall tells customers to patch SonicOS flaw allowing hackers to crash firewalls
Salesforce says customer data may be exposed in Gainsight incident - "unusual activity" being probed
Latest in News
Comet AI browser lands on Android
Mullvad VPN adds ultra-fast obfuscation to beat WireGuard blocking
X was down again – here's how its latest outage played out
Jimdo adds AI to its website builder, promises better business outcomes
Harlem Eubank vs Josh Wagner — How to watch, *FREE* live stream, what time does it start?
Fitbit's new AI tool wants to take the stress out of your next doctor's visit
LATEST ARTICLES- 1WhatsApp security flaw lets experts scrape 3.5 billion user numbers - here's what we know, and how to stay safe
- 2Is Nvidia opening up its NVLink doors even further? New partnership with AMD will see greater integration across many kinds of chips
- 3Comet AI browser lands on Android
- 4Is AI more appealing than crypto now? A major Bitcoin miner has decided to pivot to AI data centers - here's why
- 5Linus Torvalds gives approval to "vibe coding" - just don't use it on anything important
