Overview
- University of Vienna researchers automated WhatsApp’s contact-discovery checks to confirm roughly 3.5 billion registered numbers worldwide.
- Public profile fields were retrievable at scale, including photos for about 57% of accounts and “about” texts for about 29%.
- The team queried up to roughly 7,000 numbers per second from a handful of accounts and a single IP without being blocked, then deleted their dataset after notifying Meta.
- Meta acknowledges the issue, reports no evidence of malicious exploitation, and says end-to-end encryption kept messages private.
- Country-level tallies show heavy exposure in India and Brazil and millions of entries in places where WhatsApp is banned, prompting warnings about fraud and the risks of phone-number–based identity.