Overview
- A University of Vienna team automated number enumeration through WhatsApp’s contact-discovery and registration checks, confirming 3.5 billion active accounts globally.
- The scrape retrieved profile photos for about 57% of accounts and public profile texts for roughly 29%, depending on users’ privacy settings.
- Researchers said they could query around 7,000 numbers per second per session from the same IP using five accounts without being blocked, highlighting weak rate limiting.
- Country-level tallies included 43.85 million Argentine accounts and millions in places where WhatsApp is banned, such as China (about 2.3 million) and Myanmar (about 1.6 million).
- Meta was notified in April and says it imposed stricter rate limiting in October, found no evidence of malicious misuse, and that end-to-end encryption protected message content; the researchers deleted their dataset but warn of phishing and impersonation risks and note similar concerns were raised in 2017.