Overview
- University of Vienna and SBA Research investigators used the service’s contact-discovery interface lacking effective rate limiting to check roughly 100 million numbers per hour via the web client.
- The team matched 3.5 billion phone numbers to accounts and found that about 57 percent exposed profile photos and about 29 percent had public profile text, and their analysis also surfaced duplicated encryption keys and a handful of all-zero keys.
- The dataset included millions of users in countries where the app is banned or heavily monitored, including about 2.3 million in China and 1.6 million in Myanmar, raising surveillance and safety concerns.
- The researchers say they reported the issue through Meta’s bug bounty and deleted their copy of the data, and Meta says messages remained end-to-end encrypted, the fields were public by user choice, and it has seen no evidence of malicious abuse.
- A similar enumeration risk was documented by researcher Loran Kloeze in 2017, underscoring how long the problem persisted before Meta applied stricter rate-limiting by October 2025.