A team of researchers from the University of Vienna in Austria has disclosed the details of a novel enumeration technique that allowed them to scrape 3.5 billion WhatsApp accounts. WhatsApp owner Meta has rolled out mitigations to prevent exploitation of the vulnerability.
WhatsApp, similar to nearly every major communications app, enables users to connect with others based on phone numbers. When users try to find their phone contacts on WhatsApp, the company’s servers are queried to determine whether the user associated with a specific phone number is registered.
The University of Vienna researchers found a technique for enumerating WhatsApp accounts without being blocked. They generated possible phone number combinations and checked which were registered on the messaging service.
The researchers expected to encounter rate limiting, but they were able to scrape WhatsApp account data at rates of more than 100 million phone numbers per hour.
“Normally, a system shouldn’t respond to such a high number of requests in such a short time — particularly when originating from a single source,” said Gabriel Gegenhuber, lead author of the research paper. “This behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited requests to the server and, in doing so, map user data worldwide.”
They enumerated the accounts of all 3.5 billion WhatsApp users across 245 countries. The scraped data included timestamps and public keys, which enabled them to infer additional data such as account age, operating system, and the number of linked devices.
For some of the accounts the scraped data also included profile pictures and text added by users in the ‘about’ section.
The researchers compared the obtained records to the 500 million Facebook user records leaked in 2021 and found that nearly half of the phone numbers exposed in that leak were currently associated with a WhatsApp account.
The research was highlighted earlier this week by Meta in its bug bounty program report for 2025. The social media giant paid out roughly $4 million in bug bounties this year. However, the researchers have not disclosed the bounty they received and Meta said it’s not disclosing such information without the researchers’ permission.
“This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information,” Nitin Gupta, VP of Engineering at WhatsApp, said in an emailed statement. “We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses.”
“Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector,” Gupta added.
In response to an inquiry from SecurityWeek, Meta has provided additional important clarifications regarding this research.
The company pointed out that it’s not accurate to describe the researchers’ work as “exposing” or “obtaining” 3.5 billion phone numbers. The researchers generated possible number combinations and checked which of them were registered on the service in a way that “exceeded [WhatsApp’s] intended limits”.
Meta also noted that messages, contacts, or other non-public data were not exposed. The profile pictures and ‘about’ information (this is often ‘Hey, I’m using WhatsApp’ or a short text or emoji chosen by the user) were only accessible in the case of users who chose to make the information public to ‘everyone’.
WhatsApp provides privacy controls that enable users to allow only contacts to see this information or prevent everyone from seeing it.
The researchers said they gradually reported their findings to Meta throughout late 2024 and 2025, but the vendor said it only received the technical details needed to fully understand the issue in August 2025. The company said the first mitigations were rolled out in early September, and additional measures were implemented in October.
Related: $1M WhatsApp Hack Flops: Only Low-Risk Bugs Disclosed to Meta After Pwn2Own Withdrawal
Related: Ex-WhatsApp Employee Sues Meta Over Vulnerabilities, Retaliation
