Overview
- Using WhatsApp’s contact discovery, the University of Vienna and SBA Research team automated lookups at over 100 million phone numbers per hour to confirm more than 3.5 billion active accounts.
- The collection included phone numbers, public encryption keys, timestamps, and publicly shared profile photos and About texts, enabling inferences about device type, account age, and linked devices.
- Researchers identified large numbers of accounts in jurisdictions where WhatsApp was banned at the time, including about 2.3 million in China, 60 million in Iran, 1.6 million in Myanmar, and five in North Korea.
- Meta says it patched the enumeration vector in coordination with the researchers, credits its bug bounty program, reports no evidence of malicious exploitation, and notes the researchers deleted the dataset.
- The study highlights privacy and safety risks from metadata at scale, with roughly 57% of users having public profile photos and about 30% sharing Info texts, and it notes many numbers from the 2021 Facebook leak remain active on WhatsApp.