The vulnerability was traced to the app’s core contact discovery feature, which, due to a lack of effective rate-limiting
A significant security flaw in WhatsApp allowed researchers to identify and expose the phone numbers of virtually all of the platform’s estimated 3.5 billion users, according to a new study from the University of Vienna.
The researchers cautioned that had this massive directory been compiled by malicious actors, it would have constituted “the largest data leak in history,” dwarfing the 2021 Facebook scraping incident that compromised around 500 million records.
The vulnerability was traced to the app’s core contact discovery feature, which, due to a lack of effective rate-limiting, could be automated to scan huge ranges of phone numbers and confirm if they were registered WhatsApp accounts at an unprecedented scale.
Exposed Information
By exploiting this loophole, the Vienna team was not only able to confirm the phone numbers for all 3.5 billion accounts but also retrieve publicly available metadata:
Phone Numbers: The entire user base’s numbers were confirmed.
Profile Photos: Access was possible for users who had set this to public, affecting 57% of the accounts.
About’ Text: Profile text was visible for 29 per cent of users.
Metadata: Information such as public keys for End-to-End Encryption and device type was also accessible.
“To the best of our knowledge, this marks the most extensive exposure of phone numbers and related user data ever documented,” Aljosha Judmayer, one of the researchers, told WIRED.
Delayed Response
The study also highlighted that a similar vulnerability was reportedly brought to the attention of WhatsApp and its parent company, Meta, by a different research team in 2017,but the company failed to implement a robust fix.
The Vienna researchers informed WhatsApp of their findings in April 2025. Although Meta’s initial response was described as unenthusiastic, the company eventually worked with the team to implement a stricter rate-limitingmeasure by October, closing the specific loophole.
Meta acknowledged the security issue in a statement,thanking the University of Vienna researchers for their “responsible partnership and diligence under our Bug Bounty programme.“A spokesperson for the company said the collaboration “successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information.“
Meta stressed that the researchers had securely deleted the data collected and that no evidence of malicious actors abusing this vector was found. Furthermore, the company reassured users that “user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption.“