Between December 2024 and April 2025, a team from the University of Vienna identified 3.5 billion active phone numbers on WhatsApp (practically its entire user base) from a single server and without encountering too much technical resistance.
They processed more than a hundred million numbers per hour and extracted not only the existence of accounts, but also public keys, profile photos, status texts, and device metadata. They did it without having to hide, from the same university IP, same server, five accounts. For four months, no one in Meta noticed.
Why is it important. This is not the first time that this vulnerability has been demonstrated, as it has already occurred in 2012 and 2021but the first at this scale and speed. The finding exposes a structural contradiction in WhatsApp:
- Your architecture should show whether a number is registered to enable contact discovery…
- …but that functional need collides with the privacy of its users.
Knowing who uses WhatsApp in countries where it is prohibited, such as China, Burma or North Korea, can have serious consequences. There they detected 2.3 million, 1.6 million and five accounts respectively (not five million, just five). The investigation, published a few weeks ago in NDSS 2026shows that this crack not only persists, but has widened.
The context. The researchers developed ‘libphonegen’, a tool that reduces the search space from billions of theoretical combinations of possible mobile phone numbers to “just” 63 billion real candidates for 245 countries. Using unofficial WhatsApp clients that directly access the XMPP API, they queried these numbers at a rate of 7,000 per second. Neither his IP was blocked nor his accounts sanctioned.
Meta did not respond until researchers explicitly reported the finding in March of this year, and countermeasures did not arrive until October, just a couple of months ago.
The figures. He dataset resulting five times higher the scandal of scraping from Facebook 2021:
- India leads the document with 749 million users (21% of the total), followed by Indonesia and Brazil. In Spain, 46.5 million accounts.
- 81% use Android.
- More than half have a public profile photo.
- 29% have the status text visible.
Between the lines. The researchers were able to infer the operating system by analyzing initialization patterns of the cryptographic keys.
- Android starts certain identifiers at zero.
- iOS does this in random values.
This detail matters because iPhone users are higher-value targets for attackers.
They also detected that public keys are reused. They found 2.3 million different keys used on 2.9 million different devices. In Burma and Nigeria, tens of thousands of numbers shared the same key, pointing either to faulty implementation or outright fraud. They even found twenty American numbers that use a private key composed only of zeros.
In detail. The method is not limited to confirming the existence of the accounts. For each one they extracted public keys, timestamps and the list of linked devices. This allows you to build detailed profiles without accessing the content of the messages.
- The age of the device can be estimated by counting key rotations.
- The “popularity” of a user is inferred by the frequency of depletion of their prekeys single usewhich are consumed every time you start a new conversation.
Researchers downloaded 77 million profile photos of the +1 rank (prefix for the United States and Canada) in a matter of hours. 66% of them contained recognizable faces. They also found disturbing status texts, such as those from traffickers listing prices, accounts business advertising drugs or publicly visible corporate emails from governments and armies.
And now what. Meta has deployed probabilistic cardinality counters to limit how many unique accounts a user can query without blocking legitimate contact discovery. It has also restricted bulk access to status photos and texts.
The researchers confirmed that the measures work in subsequent tests. But no countermeasures protect those who were already listed during the months in which the system has been wide open.
The big question. For four months, from a university server without even hiding their identity, they looted practically the entire user base of the most used application on the planet without anyone at Meta realizing until they were explicitly told.
If these researchers were able to do it under these conditions, who else did it before without telling anyone?
Featured image | Dimitri Karastelev
GIPHY App Key not set. Please check settings