Overview
- University of Vienna and SBA Research automated WhatsApp’s contact discovery via the web client, confirming accounts at more than 100 million numbers per hour across 245 countries.
- Public metadata was widely retrievable, including profile photos for about 57% of accounts and “about” text for roughly 29%.
- The team reported the issue through Meta’s bug bounty, deleted the dataset, and says the company tightened anti-scraping controls by October 2025.
- Researchers warn the compiled phone numbers could aid scammers or help authorities identify users in countries where WhatsApp is banned.
- Analysis also surfaced duplicate or malformed cryptographic keys on some accounts, pointing to possible use of unofficial clients rather than a flaw in end-to-end encryption.