Overview
- A University of Vienna and SBA Research team exploited WhatsApp’s contact discovery to query roughly 100 million phone numbers per hour and enumerate about 3.5 billion accounts worldwide.
- Collected data included phone numbers plus public fields such as profile photos for about 57% of accounts and status texts for about 29%, along with inferred metadata like operating system, account age, and connected devices.
- The researchers report deleting the dataset before publication and followed ethical guidelines, while WhatsApp acknowledged the work through its bug‑bounty program.
- Meta says message contents were never accessible and reports no indication of malicious exploitation to date, and it has deployed rate‑limiting and stricter profile‑visibility rules to block mass scraping.
- Experts warn that exposed metadata heightens risks of phishing, spam, and surveillance, including for users in countries where WhatsApp use is restricted, and they advise enabling two‑factor authentication and tightening privacy settings.