A team of researchers from the University of Vienna has uncovered a serious vulnerability in WhatsApp that allowed the mass gathering of user phone numbers through the contact search mechanism. They managed to collect over 3.5 billion records, effectively obtaining a database of phone numbers for most platform users. This was reported by Wired.
In addition to phone numbers, the researchers accessed profile avatars for 57% of accounts and public profile text for 29%, as WhatsApp displays this information to anyone who adds a number to their contacts. The issue was reported to Meta in April 2025, and the collected database was destroyed. In October, the company implemented stricter request rate limits to prevent mass data collection.
Meta stated that it found no evidence of malicious use of this technique, claiming that the reported information was "basic public data." However, researchers emphasize that they did not bypass any security mechanisms—such mechanisms simply did not exist. Another researcher highlighted a similar vulnerability back in 2017, but it remained unaddressed.
The analysis also revealed a significant number of accounts with public information. For instance, among 137 million numbers from the USA, 44% had open photos. In India, where WhatsApp is most popular, this figure reached 62%.
Researchers believe that databases of this magnitude could be appealing for spam campaigns or governments in countries where WhatsApp is blocked. Among the collected data, they identified 2.3 million numbers from China and 1.6 million from Myanmar, which could pose risks to users in those regions.
The team also found repeating cryptographic keys in some accounts, which may indicate the use of unofficial WhatsApp clients, particularly by individuals engaged in fraud.
Researchers conclude that the main issue lies in using phone numbers as universal identifiers. They were not intended to serve as private or unique keys, yet in WhatsApp, they form the basis for searching and verifying accounts. Meta is already testing a nickname system as an alternative.

9905 image for slide
zoom Created with Sketch Beta.