Redazione RHC : 19 November 2025 12:33
The scale of the leak, described by a team from the University of Vienna , demonstrates how dangerous the familiar contact search function of popular messaging apps can be.
WhatsApp has always emphasized the ease of adding new people: simply enter a phone number into your address book, and the service instantly reveals whether the person is registered on the app, revealing their name, photo, and partial profile . However, this simplicity has become the basis for one of the largest collections of user data in history, and all of this has happened without hacking or circumventing technical barriers.
Austrian researchers decided to test whether automated phone number lookups could reveal exactly who was using WhatsApp. They started the trial, and within a few hours, it became clear that there were virtually no limits . The service allowed an unlimited number of queries via the web version, and as a result, the team was able to create a database of 3.5 billion numbers, essentially gathering information on every WhatsApp user on the planet. For nearly 57% of the records, they were able to obtain profile photos, and for nearly a third, text statuses, which many people use as a brief introduction to themselves.
According to the researchers themselves, this would have been the largest data leak of phone numbers and public profile details ever recorded if the data hadn’t been collected exclusively for academic purposes . They reported the discovery in the spring and deleted the entire dataset, but the system remained completely vulnerable until October , meaning a similar operation could have been carried out by anyone, from spammers to government agencies monitoring unwanted activity on their citizens.
Despite Meta’s assurances that increasingly effective security measures are being implemented to combat mass data collection, the Vienna team claims they haven’t actually encountered any limitations. They emphasized that WhatsApp had already reported a similar issue in 2017 : Dutch researcher Laurent Kloese had described a system for mass number verification and demonstrated that it could collect not only profile information, but also the time spent online. Even then, the company maintained that everything worked within standard privacy settings.
Comparing the current results with those from eight years ago, it’s clear how much the risk has increased. While there were previously tens of millions of potentially accessible records, now more than a third of the world’s population uses the service, and the number itself has long ceased to be random . The researchers emphasize that a phone number cannot serve as a secret identifier: the number ranges are limited, meaning brute-force attacks are always possible unless there are strict limits on the number of requests.
The team also studied profile characteristics by country. In the United States, of the 137 million numbers collected, 44% of users had public photos, while about a third had text-based statuses. In India, where WhatsApp is significantly more widely used, 62% of the 750 million profiles were public. In Brazil, the figure was almost the same: 61% of the 206 million. The more popular the service, the fewer people changed their privacy settings and the wider the circle of those who made their images and descriptions public.
Of particular concern was the discovery of millions of phone numbers in countries where WhatsApp is officially blocked. Researchers found 2.3 million such records in China and 1.6 million in Myanmar. This information allows local authorities to track down people who circumvent the bans and, in some cases, use it as a basis for criminal prosecution. There are reports of people being detained in China simply for using the app.
While analyzing the keys used in the end-to-end encryption protocol to recover messages, the team noticed another anomaly: a significant number of duplicate values. Some keys were used hundreds of times, and approximately two dozen American phone numbers were associated with a null key. The researchers suspect these are unofficial third-party WhatsApp clients, actively used by scammers. This is also indicated by the behavior of some accounts with duplicate keys: they clearly appeared to be tools for fraud or mass messaging.
Redazione
