- Researchers in Austria demonstrated that WhatsApp's contact discovery feature allowed them to enumerate 3.500 billion numbers.
- Profile pictures (57%) and profile texts (29%) of accounts with open visibility were also accessed.
- Meta implemented speed limiting measures in October and claims there is no evidence of malicious abuse; the encryption remained intact.
- Risks: spam, phishing and doxxing, with an impact in Spain and Europe; recommendations to strengthen privacy.
An academic investigation has put WhatsApp on the ropes by demonstrating that massive and automated use of its contact discovery This allowed them to confirm which phone numbers use the app. The Vienna-based team systematically tested combinations and was able to identify 3.500 billion numbers registered with the messaging service.
It wasn't an attack on the servers or a complex intrusion, but rather exploiting a predicted behaviorThe feature that tells you if a number is on WhatsApp. As a side effect, the researchers were also able to collect profile pictures (57%) and, in another 29%, the public text of the profile, when users had not restricted that visibility.
What was discovered and how it was carried out
The method was the so-called "enumeration"Automating the querying of numbers in WhatsApp's virtual contact list to check for associated accounts. Since there were no effective limits during the study, the system allowed for review tens of millions of numbers per hour until it practically covers the planet.
The group notified Meta in April and deleted the generated database after validating the scope of the problem. According to the sources cited, the company implemented in October 2025 a stricter speed limit which prevents this type of sweeping on an industrial scale.
The figures illustrate the magnitude of the discovery: in the United States, out of 137 million confirmed numbers, the 44% showed a photo and 33% profile text; in India, image visibility reached 62%and in Brazil, 61%. Millions of accounts were even detected in countries with restrictions, such as China (2,3 million) o Myanmar (1,6 million)which could facilitate the identification of users in repressive contexts.
The warning didn't come out of nowhere. Back in 2017, the researcher Loran Kloeze He pointed out that mass verification of numbers was feasible if clear limits were not placed on the queries. Eight years later, the Viennese team demonstrated that this risk remained.
What Meta says and what didn't happen
From WhatsApp, Nitin Gupta The vice president of engineering thanked them for the report and emphasized that the information displayed depended on each user's configuration. The company maintains that its systems antiscraping They were reinforced and there is no evidence of prior malicious abuse. Furthermore, he recalled that the end-to-end encryption He was never compromised.
For their part, the authors point out that it was not necessary to bypass sophisticated defenses: they were taking advantage of a design flaw in the very logic of contact discovery and in the absence of sufficiently strict consultation limits.
Impact in Spain and Europe
In Spain, where WhatsApp is almost ubiquitous, the exposure of visible numbers and metadata puts the spotlight on the Privacy under the GDPRAlthough messaging remains encrypted, the combination of phone number, photo, and profile text facilitates targeted campaigns. fraud, phishing or impersonation that affect individuals and businesses.
Europe accounts for a substantial portion of WhatsApp's user base, and according to researchers, around 18% of accounts It is located in the region. It is expected that European data protection authorities and the Spanish Data Protection Agency (AEPD) will examine whether the measures introduced by Meta are sufficient to prevent similar mass data collection in the future.
What you can do now
To reduce your public footprint, it's advisable to review the app's privacy settings and restrict as much as possible who can see your data. Specifically, change your profile picture, text, and... “last seen”/“online” to “My contacts” (or “Nobody”), activate two-step verification and monitor which devices have an open session.
- Place the profile picture and the "About" information in "My contacts" or "Nobody".
- Activate the two step verification and do not share the PIN or codes.
- Limit who can add you to groups and be wary of shortened links or promotions.
- Block and report suspicious calls or messagesAvoid replying to avoid confirming activity.
In the corporate environment, establish policies for using WhatsApp for work, minimize personal data in statuses or photos, and train employees against [unclear - possibly "vulnerable content" or "unwanted content"]. social engineering significantly reduces exposure to automated campaigns.
What's next for WhatsApp?
WhatsApp has been testing the possibility of using user names unique, a path that, if consolidated, could alleviate dependence on the telephone number as the main identifier and curb mass enumeration.
In addition to the new speed limitationExperts recommend additional measures: detection of anomalous patterns, controls by geographic origin, strengthened human verification, and more restrictive policies on APIs and web clients to deter [theft/attacks]. scraping on a large scale.
The case demonstrates that a function designed for convenience can become a exposure vector When it scales unchecked: enumeration allowed the confirmation of 3.500 billion numbers and access to visible profile data. With the patch now active and no evidence of widespread abuse, the lesson for users in Spain and Europe is clear: Exercise extreme caution against fraud y demand strong controls to the platforms to prevent something like this from happening again.
