Researchers claim ‘largest leak ever’ after uncovering WhatsApp enumeration flaw

Steven

Researchers claim ‘largest leak ever’ after uncovering WhatsApp enumeration flaw

Summary

Researchers from the University of Vienna discovered an enumeration flaw in WhatsApp that allowed them to confirm 3.5 billion registered accounts by submitting generated phone numbers to the service. Using a libphonenumber-based tool they built, the team probed numbers at roughly 7,000 queries per second (over 100 million accounts per hour) and reported no effective rate-limiting during the experiment.

The collected public data included phone numbers, display names, profile pictures (57% had pictures, two-thirds of those showed human faces) and profile text (about 29%). The researchers warn this information can be combined into a reverse phonebook and reveal sensitive details — from political views to links to other platforms — and can be used to target spam, phishing and robocall campaigns. They also found many active accounts tied to numbers in countries that have banned WhatsApp, highlighting risks to users in repressive jurisdictions.

Meta/WhatsApp was notified under its bug bounty programme. WhatsApp says it had been developing anti-scraping protections and that the researchers helped test mitigations; the researchers confirm their technique is now blocked and that they deleted the data. WhatsApp emphasised that end-to-end encrypted messages were not exposed and says it has seen no evidence of malicious abuse of this vector.

Key Points

  • Researchers enumerated and confirmed 3.5 billion WhatsApp-registered phone numbers using an automated phone-number lookup approach.
  • The technique relied on generated numbers (via libphonenumber) and a high query rate (≈7,000 queries/sec), reportedly without encountering effective rate-limiting.
  • Public profile data exposed included names, profile photos (many with identifiable faces) and profile text that can reveal sensitive personal details.
  • Large-scale account lists are valuable to attackers for spam, phishing, robocalls and targeted harassment; the dataset also included numbers linked to officials and users in countries that ban WhatsApp.
  • Meta says it implemented anti-scraping systems after disclosure; researchers say they retested and were blocked, and they deleted the collected data.
  • WhatsApp stressed that end-to-end encrypted messages were not accessible and that there is no evidence of malicious actors exploiting this flaw.
  • The researchers note it took nearly a year of follow-up tickets and communication before meaningful remediation was applied.

Why should I read this?

If you or your organisation uses WhatsApp — which, let’s be honest, is most people — this is a big deal. The story shows how trivial it was to scoop billions of records of public profile data and why that matters: spam, phishing, doxxing and real-world harm in repressive countries. Read this so you know the risks and can take sensible steps (limit profile info, watch suspicious messages, consider separate numbers for sensitive roles).

Author note

Punchy: this isn’t just another vuln — it’s a wake-up call on how public profile fields plus weak rate-limiting become a massive privacy vector. Worth reading in full if you care about user safety, risk to people in banned jurisdictions, or platform security practices.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/11/19/whatsapp_enumeration_flaw/