WhatsApp: A flaw allowed the extraction of 3.500 billion numbers and profile data.

An academic investigation has put a spotlight on security flaw in the contact discovery system WhatsApp, which, when exploited on a large scale, It allowed for the verification of phone numbers and the mass association of profile data with them.The finding describes how a routine app process can become, if repeated at an industrial pace, a source of information exposure.

The study, led by a team from the University of Vienna, demonstrated that it was possible to check the existence of accounts for billions of number combinations through the web version, without effective blocks for months. According to the authors, if that process had not been carried out responsibly, we would be talking about one of the largest data exposures ever documented.

How the gap materialized: mass enumeration

The problem wasn't about breaking the encryption, but about a conceptual weakness: the contact search tool of the service. WhatsApp allows users to check if a phone number is registered; repeating this check automatically and on a large scale has opened the door to global tracking.

The Austrian researchers used the web interface to continuously test numbers, reaching an approximate rate of 100 million checks per hour without any effective speed limits during the analyzed period. That volume made an unprecedented extraction possible.

The result of the experiment was conclusive: they were able to obtain the phone numbers from 3.500 billion accounts of WhatsApp. In addition, they were able to associate publicly available profile data for a significant portion of that sample.

Specifically, the team noted that Profile pictures were accessed in 57% of cases, and public status texts or additional information in 29%.Although these fields depend on each user's configuration, their exposure at scale amplifies the risk.

• 3.500 billion numbers verified as registered on WhatsApp.
• 57% with a publicly accessible profile picture.
• 29% with searchable profile text.

Prior warnings that were not heeded in time

The weakness of enumeration was not entirely new: already in 2017, the Dutch researcher Loran Kloeze He warned that it was possible to automate the checking of numbers and associate them with visible data.That warning foreshadowed the current situation.

Vienna's recent work took that idea to the extreme and showed that dependence on the telephone number as a unique identifier remains problematicAs the authors point out, the numbers They are not designed to act as secret credentialsBut in practice they fulfill that role in many services.

Another relevant conclusion of the study is that much of the personal information retains its value over time: The team found that 58% of the phones exposed in the 2021 Facebook leak They are still active on WhatsApp today., which facilitates correlations and persistent campaigns.

Besides the numbers, The mass query process allowed certain technical metadata to be inferredand type of client or operating system employee and the presence of desktop versions, which adds surface area for profiling.

Meta's response: speed limits and official stance

Los investigadores They reported the finding to Meta in April and deleted the generated database after validating it.The company, for its part, implemented it in October stricter rate limiting measures to block large-scale enumeration via the web.

In statements sent to specialized media outlets, Meta expressed gratitude for the notification through its program of failure rewards He emphasized that the information displayed was what each user had configured as visible. He also stated that he had found no evidence of malicious abuse of this method.

The company insisted that the messages remained protected due to end-to-end encryption and the fact that no non-public data was accessed. There was no indication that the cryptographic system had been broken.

After several technical meetings, WhatsApp rewarded the research with $17.500For the team, the process served to measure and test the effectiveness of the new defenses deployed after the notification.

Real risks: from fraud to targeting in countries with bans

Beyond the technical aspects, the main impact of this exposure is practical. With a phone number and profile information visible, it becomes much easier. build social engineering campaigns and targeted scams that exploit the contextual information of each victim.

The researchers also identified millions of active accounts in territories where WhatsApp is banned, such as China, Iran, or MyanmarThe visibility of these numbers could have personal or legal consequences for users in high-surveillance contexts.

The massive availability of valid phones enhances the spam, doxxing and phishing with a higher level of accuracy, especially when the profile picture or public text provides clues about identity, employment, or linked social networks.

It is worth remembering that, once added to huge databases, information can circulate for years, combining with other leaks to enrich profiles and increase the effectiveness of the attacks.

Europe and Spain: why it matters here

In Spain and the rest of the EU, where WhatsApp is ubiquitous, the exposure of information on this scale concerned about its potential impact on millions of users and businessesAlthough Meta corrected the enumeration method, the incident reopens the debate about a design that relies on the phone number.

The case, involving a European university team, serves as a reminder that even features designed for convenience—like finding contacts instantly— They can become vectors of risk if they do not have solid and continuously verified defenses.

It also highlights the need to configure privacy settings carefully. If the profile picture or public text reveals more information than necessary, its widespread exposure becomes a threat multiplier for private and professional users.

For European organizations and administrations with security obligations, Limiting data visibility and strengthening internal verification procedures outside the app helps to reduce the attack surface of impersonation or fraud campaigns.

What you can do right now

In the absence of an alternative identifier, The best defense for the user involves adjust options profile privacy and adopt prudent messaging habits.

• Restrict profile picture and information to “My contacts” or “Nobody”.
• Avoid including sensitive data or personal links in your status text..
• Be wary of unexpected messages, even if they show your name or photo.
• Verify any urgent or payment requests through a secondary channel.

Although the specific avenue for mass enumeration has been closed, this episode evidence that the combination of public identifiers and small oversights in controls can lead to enormous exposuresKeeping what others can see of your account to a minimum limits the impact of future harvesting techniques.

Austrian research showed that A common function could be exploited on an industrial scale to validate billions of numbers and associate visible profiles with them.Meta has tightened the limits and maintains that there is no evidence of abuse, but the social engineering risksThe findings in countries with bans and data persistence highlight the need to review phone number-based design and to encourage stricter privacy habits among European users.