Overview
- Researchers at the University of Vienna and SBA Research automated WhatsApp Web’s contact discovery at about 100 million checks per hour, identifying roughly 3.5 billion active accounts across 245 countries.
- The collection pulled publicly visible metadata including profile photos (about 57% of accounts) and status texts (about 29%) plus some public keys, raising phishing, spam and profiling risks while message contents remained encrypted.
- The team disclosed the issue to Meta in April and deleted its dataset, and Meta introduced stronger rate limits in October to curb large-scale enumeration.
- WhatsApp’s Nitin Gupta said the company found no evidence of malicious exploitation and characterized the exposed items as basic information visible under users’ privacy settings.
- Country analysis highlighted concentrations in India (~750 million), Indonesia (~235 million), Brazil (~206 million) and Italy (~55 million), with users also present in restricted markets such as Iran (~59 million) and China (~2.3 million).