Overview
- Using WhatsApp Web’s contact discovery with no effective rate limiting, the Austrian team queried about 100 million numbers per hour across 245 countries.
- They confirmed roughly 3.5 billion active accounts, with about 57% exposing profile photos and about 29% showing public “about” text.
- The researchers reported the issue and deleted the dataset, and by October Meta had deployed stricter rate limits and anti‑scraping protections.
- The harvested data could enable spam, fraud, or state surveillance, with millions of active accounts observed in banned markets such as 2.3 million in China and 1.6 million in Myanmar.
- Key analysis found duplicated and even all‑zero public keys likely linked to unauthorized clients, reinforcing researchers’ warning that phone numbers are weak global identifiers.