Overview
- A University of Vienna and SBA Research team exploited WhatsApp’s contact discovery to query more than 100 million phone numbers per hour, confirming active accounts across 245 countries.
- The queries exposed basic profile metadata such as phone numbers, public encryption keys, timestamps, and, when set to public, profile photos and About texts, enabling inferences about operating system, account age, and linked devices.
- The dataset included millions of users in countries where WhatsApp is or was banned, including about 2.3 million in China, roughly 60 million in Iran, around 1.6 million in Myanmar, and five in North Korea.
- Meta credited the researchers under its bug bounty program, said it deployed stricter rate limits and anti‑scraping defenses, reported no signs of malicious exploitation, and noted that end‑to‑end encryption kept messages private.
- Researchers say they first notified Meta in September 2024 and saw a fuller response near paper submission, and they report securely deleting the collected data while advising users to restrict profile visibility and enable two‑step verification to curb phishing risks.