Home
Our Services
Free resources
- Privacy Research
  Free to use data privacy research
  Key Capabilities
  Latest privacy news tracking
  Product versions
  Latest privacy news tracking
  Track the latest news, breaches and fines
  Key features
  Tracks the latest breaches and fines
  View by industry
  View by breach method
  View by privacy topic
  Links to original articles
  Free to use
  
  Learn more »
  Latest Threat Intelligence
  Product versions
  Latest Threat Intelligence
  Track the Common Vulnerability Exposures (CVEs)
  Key features
  Tracks the latest vulnerabilities
  View by company
  View by breach method
  Links to NVD
  Free to use
  
  Learn more »
  Breach modelling and ROI calculator
  Product versions
  Breach modelling and ROI calculator
  Model what a breach would look like for you in your industry and use this to calculate your return on investment
  Key features
  Model your breach
  Assess the severity
  Compare by industry
  Breakdown costs
  Export to your business plan
  Free to use
  
  Learn more »
Privacy news
Company
- About Us
- FAQ
- Contact Us

35B WhatsApp users info scooped through enumeration flaw The Register

pResearchers in Austria used a flaw in WhatsApp to gather the personal data of more than 35 billion users in what they believe amounts to the largest data leak in historyppThe messaging platform allows users to look up others details by inputting their phone numbers The feature which has been part of the platform for years can be abused to enumerate user data including phone number name and in some cases their profile image if they have one setppUsing this feature the researchers were able to gather user details at a rate of over 100 million accounts per hour by plugging in 63 billion phone numbers generated using a tool they built using the underlying tech of Googles libphonenumberppIn typical settings platforms would rely on rate limiting to prevent this kind of abuse but WhatsApp still allowed enumeration on this scale without the researchers encountering blocking or effective rate limitingppThe researchers wrote PDF To our surprise neither our IP address nor our accounts have been blocked by WhatsApp Moreover we did not experience any prohibitive ratelimiting With our query rate of 7000 phone numbers per second and session we could confirm 35 billion phone numbers registered on WhatsApp exceeding the more than 2 billion people officially stated by WhatsAppppMore than 57 percent of the active accounts they enumerated had a profile picture twothirds of which contained detectable human faces which the researchers said could be used to build a reverse phonebook where a persons image reveals other details about themppAround 29 percent had text in their profile that could also build a fuller picture of each userppReporters researchers and other interested parties can often look at the coverage of data breaches see that only basic personal information is included and conclude that the severity of these incidents realistically is fairly low given that this is often in the public domain alreadyppHowever the text included in profiles could in some cases reveal additional sensitive information about the user such as their sexual orientation political views drug use and trafficking links to other platforms such as LinkedIn and Tinder and professional email addressesppRegarding the latter the researchers were able to link enumerated phone numbers to government and military officials tooppFurthermore several countries ban WhatsApp China Myanmar and North Korea are notable examples while other countries like Iran and Senegal have previously instituted bans and later rescinded themppHowever millions of active WhatsApp accounts were associated with phone numbers registered in these countries a revelation consistent with WhatsApp boss Will Cathcarts previous admissionppCountries such as China are known for persecuting people for breaking rules such as circumventing bans on WhatsApp and other platforms The consequences can reportedly include detention and being sent to reeducation campsppLess critical but still pertinent is the potential for abuse by cybercriminals and troublemakersppThe researchers said Largescale databases of registered phone numbers can be misused by attackers Since a registered number typically indicates an active device these lists are a reliable basis for spam phishing or robocall attacksppThey also said it raises the question of how long this information remains valid and therefore open to abuseppTaking the data from the great Facebook data scrape of 2021 which saw the phone numbers locations email addresses birthdays and marital statuses of 533 million peoples profiles collected the research team found that half of the phone numbers were still active among the 35 billion records they collected from WhatsAppppThe Register asked Meta for more information including whether it has implemented any additional protections after the researchers disclosed the potential for abuse via its bug bounty programppThe tech giant did not address the efficacy or existence of additional security measures following the researchers submission in its response but said it was already working on antiscraping systemsppNitin Gupta VP of engineering at WhatsApp said We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program This collaboration successfully identified a novel enumeration technique that surpassed our intended limits allowing the researchers to scrape basic publicly available informationppWe had already been working on industryleading antiscraping systems and this study was instrumental in stresstesting and confirming the immediate efficacy of these new defenses Importantly the researchers have securely deleted the data collected as part of the study and we have found no evidence of malicious actors abusing this vectorppAs a reminder user messages remained private and secure thanks to WhatsApps default endtoend encryption and no nonpublic data was accessible to the researchersppWe also spoke to Gabriel Gegenhuber a PhD candidate at the University of Vienna and researcher at SBA Research who coauthored the paper and he confirmed that Metas response was effective at preventing its methodsppHe told us We supported MetaWhatsApp with our knowledge in their remediation and retesting processppAs part of that process we have tried the exact same steps as for the original study but were blocked swiftly So we can confirm there are countermeasures in place nowppThis was of course not a detailed security audit of the entire WhatsApp infrastructureppAs usual in security the existence of securityprivacy issues is easier to prove than their nonexistenceppHe also pointed to the disclosure timeline as set out in the paper and how it took Meta nearly a year to provide a meaningful response to the numerous tickets they raised throughout the research processppMeta only requested a conference call to discuss the findings and asked the team members to delay publication after they supplied the company with a preprint of their paper and notified them of their intention to publishppHowever as soon as they realized the extent of the issue they took it seriously and reacted promptly said Gegenhuber ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982025

p

Read the original article 19 Nov 2025

Key Capabilities

Latest privacy news tracking

Latest Threat Intelligence

Breach modelling and ROI calculator

35B WhatsApp users info scooped through enumeration flaw The Register