Overview
- University of Vienna researchers say WhatsApp’s contact-discovery design allowed automated checks exceeding 100 million phone numbers per hour.
- The team reports confirming roughly 3.2–3.5 billion active accounts across 245 countries and harvesting registration and profile metadata.
- Exposed details included phone numbers, public keys, timestamps, profile photos and “About” text, plus inferences such as operating system, account age and linked devices.
- Message content was not exposed because WhatsApp uses end-to-end encryption, and Meta says it has closed the vulnerability and found no signs of misuse.
- The researchers describe first notifying Meta on September 5, 2024, receiving scant engagement until August 2025; they were later paid a $10,000 bounty and say their data also revealed usage in countries where WhatsApp is officially banned.