Overview
- The team from the University of Vienna and SBA Research exploited WhatsApp’s contact discovery to query over 100 million phone numbers per hour, confirming active accounts across 245 countries.
- Collected data included phone numbers, public keys, timestamps, profile photos and about texts when set to public, enabling inferences about operating system, account age and linked devices.
- The dataset revealed millions of active users in countries where WhatsApp is restricted, including China, Iran and Myanmar, as well as a small number in North Korea, underscoring safety risks.
- Meta thanked the researchers, implemented rate limits and anti-scraping defenses, reported no evidence of malicious exploitation and noted that end-to-end encrypted messages were unaffected; the researchers deleted the data.
- The work followed an initial September 2024 disclosure and precedes a formal NDSS presentation, with a sample of 77 million North American profile images illustrating re-identification concerns.