WhatsApp security flaw leaks data from 3.5 billion accounts

Researchers in Austria say a flaw in WhatsApp allowed them to collect data on more than 3.5 billion accounts in what they describe as the largest leak in history, reports Wire. 

The issue arises from a long-standing feature that lets users search for other people on WhatsApp by entering their phone numbers. By generating 63 billion numbers with a tool based on Google's libphonenumber, the team was able to check which ones were registered on the platform and retrieve associated details.

According to their report, they queried WhatsApp at a rate of about 7,000 numbers per second per session, confirming around 3.5 billion active accounts. They said they encountered no meaningful blocking or rate limiting, and that their IP address and accounts were not restricted during the process.

For each confirmed number, WhatsApp returned basic profile information. More than 57% of active accounts in the dataset had a profile picture, two thirds of which contained a human face. The researchers warn this could be used to build a reverse phonebook in which a person's image can be tied to their phone number and identity.

Around 29% of accounts included profile text. While often treated as trivial, the study suggests this content can expose sensitive details, including sexual orientation, political views, drug use, links to other platforms such as LinkedIn or Tinder, and professional email addresses. In some cases, the team said, they were able to link numbers to government and military officials.

The dataset also contained millions of active WhatsApp accounts associated with numbers from countries where the service is banned, including China, Myanmar and North Korea. Other states, such as Iran and Senegal, have imposed temporary bans in the past. In jurisdictions where users can face punishment for circumventing such restrictions, the existence of these accounts could carry additional risk.

The researchers also examined how long leaked data remains useful. Comparing their records with the Facebook scraping incident of 2021, which exposed details from 533 million profiles, they found around half of those phone numbers were still active on WhatsApp.

They warn that large, validated lists of active numbers are valuable to cybercriminals, providing a reliable basis for spam, phishing and robocall campaigns. They argue that the ease and scale of enumeration in this case highlight the need for stronger rate limiting and privacy protections on messaging platforms.