WhatsApp Flaw Exposed Over 3.5 Billion Accounts Worldwide

Researchers from the University of Vienna and SBA Research identified a privacy vulnerability in WhatsApp’s contact discovery mechanism that enabled enumeration of more than 3.5 billion active accounts worldwide. Meta addressed the weakness following responsible disclosure. The findings were published in a preprint and will be presented at the NDSS Symposium in 2026.

“Normally, a system should not respond to such a high number of requests in such a short time, particularly when originating from a single source,” says Gabriel Gegenhuber, Researcher, University of Vienna. “This behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited number of requests to the server and, in doing so, map user data worldwide.”

The discovery originated from an ongoing research effort by the University of Vienna and SBA Research to analyze how design choices in end-to-end encrypted messaging platforms can expose user metadata. WhatsApp uses a contact discovery process that matches the phone numbers in a user’s address book with its database. The same mechanism, when queried at scale, enabled the confirmation of more than 3.5 billion active accounts across 124 countries.

This investigation builds on previous studies from the same institutions. These projects examined privacy risks related to silent delivery receipts and cryptographic key distribution. One of these studies received the Best Paper Award at RAID 2025. All findings referenced are attributed to the University of Vienna and SBA Research.

The researchers demonstrated that the platform’s infrastructure allowed more than 100 million phone-number queries per hour. The accessible data points were identical to what any user can see when they already know a phone number: public keys, timestamps, phone number, and optional fields such as “about” text or profile picture. No message content was accessed or retrieved.

Based on these limited data points, the researchers inferred additional information, including operating system, approximate account age, and the number of companion devices linked to an account. These findings were documented in the study Hey there! You are using WhatsApp, authored by the University of Vienna and SBA Research.

The team also identified millions of active WhatsApp accounts in countries where the platform is officially banned, among them China, Iran, and Myanmar. They also documented global distribution patterns: Android represented 81% of accounts, while iOS represented 19%. Patterns in public profile information varied significantly by region.

The researchers also found that nearly one-half of the phone numbers included in Facebook’s 2021 dataset remained active on WhatsApp. The dataset originated from a scraping incident in 2018 and was widely circulated. Persistence of these numbers indicates continued exposure to risks such as scam calls or other misuse.

In a small number of cases, cryptographic key reuse appeared across different devices or numbers. According to the University of Vienna and SBA Research study, these instances may indicate the use of unofficial clients or fraudulent practices. 

Meta collaborated with the research team under its Bug Bounty program. “We had already been working on anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses,” says Nitin Gupta, Vice President of Engineering, WhatsApp. Gupta says that Meta found no evidence of malicious actors exploiting the vulnerability. All retrieved data was deleted by the researchers prior to publication.

“End-to-end encryption protects message content, but not the associated metadata. Our work shows that privacy risks can also arise when metadata is collected and analyzed on a large scale,” says Aljosha Judmayer, Researcher, University of Vienna.

The authors emphasize that continuous, independent evaluation is necessary for large-scale communication platforms. They argue that collaboration between researchers and industry, combined with transparent disclosure processes, improves privacy protections and reduces the potential for misuse.