Researchers from the University of Vienna have demonstrated how a legitimate feature in WhatsApp can be turned into a powerful tool for mass data scraping. By abusing the platform’s phone-number search capability, the team was able to confirm the existence of more than 3.5 billion active WhatsApp accounts, making this one of the largest documented exposures of user metadata in the history of messaging apps.
How WhatsApp phone number enumeration enabled massive data collection
WhatsApp allows users to be discovered and added via their phone numbers. This “search by number” feature is not a vulnerability by itself, but the study shows it can be weaponized through phone number enumeration—the automated generation and checking of large volumes of phone numbers to see which ones are registered on a service.
The researchers relied on Google libphonenumber, a widely used library that generates syntactically valid phone numbers for different countries. They created around 63 billion potential numbers and automatically queried WhatsApp’s interfaces to test whether each number was associated with an account. Their tools achieved a rate of about 7000 requests per second without meaningful rate limiting or IP blocking from WhatsApp.
This lack of effective throttling allowed the team to validate more than 100 million accounts per hour, ultimately confirming over 3.5 billion registered numbers. The figure significantly exceeds WhatsApp’s officially reported base of roughly 2 billion monthly active users, indicating a large volume of inactive, secondary or long-abandoned accounts still present in the system.
What user metadata was exposed through WhatsApp scraping
The content of messages remained protected by end-to-end encryption and was not accessible. However, the attack exposed account-level metadata, which is often sufficient to build detailed user profiles. According to the study, more than 57% of discovered accounts had a visible profile photo. Around two-thirds of these images contained recognizable faces, enabling potential facial recognition or cross-matching with social networks.
Approximately 29% of users had a public text status (the “About” field). Many of these statuses contained highly sensitive personal information such as sexual orientation, political views, links to LinkedIn or Tinder profiles, corporate email addresses and other identifiers. By combining numbers, profile photos, and status text, the researchers were able to link some accounts to government employees and military personnel, significantly increasing the intelligence value of such a database.
In the broader threat landscape, similar metadata sets have historically been used for targeted phishing, credential stuffing, social engineering and doxxing. The large-scale leak of Facebook phone-number records uncovered in 2021, for example, originated from comparable enumeration and scraping of a “find friends” feature, underlining the systemic nature of this risk.
Heightened risk in countries where WhatsApp is blocked
The research also highlights specific threats for users in jurisdictions where WhatsApp is officially banned, including China, Myanmar, North Korea and several other states. Despite formal blocking, the team identified millions of active WhatsApp accounts tied to phone numbers from these regions, indicating use via VPNs or proxy services.
In such environments, simply having a detectable WhatsApp account can create serious legal and personal security risks. A compiled database of active numbers, cross-referenced by country, job role or affiliation, could be used by state or non-state actors for surveillance, political intimidation or law-enforcement targeting, far beyond ordinary spam or fraud.
Meta’s response and new anti-scraping protections in WhatsApp
The vulnerability was reported to Meta through its bug bounty program. According to the researchers, a substantive response arrived only about a year later, after they submitted a preprint of their academic paper and notified the company of the impending publication. This timeline raises questions about industry responsiveness to scraping-based privacy risks, which often fall into a gray area between “feature” and “abuse”.
Nitin Gupta, WhatsApp’s Vice President of Engineering, later thanked the team for what he called “responsible partnership” and stated that the findings had been used as a stress test for new anti-scraping systems. Following Meta’s mitigations, the researchers reported that their enumeration methods no longer worked as before: test accounts were rapidly blocked, and anti-bot and rate-limiting mechanisms became substantially stricter.
The team confirmed that all collected data was permanently deleted. Meta, in turn, stated it had found no evidence that the same technique had been exploited at scale by malicious actors in the wild and re-emphasized that end-to-end encryption remained uncompromised.
Systemic lessons: enumeration and scraping as structural privacy threats
Why metadata exposure is as dangerous as content compromise
This incident illustrates that breaking encryption is not necessary to undermine privacy. In many cases, enumerating identifiers (such as phone numbers, usernames or email addresses) and scraping associated public fields is enough to build powerful intelligence datasets. Messaging apps, social networks, classifieds platforms and any service with “search by identifier” are exposed to this class of risk.
Metadata—who uses which service, from which country, with which job, interests or affiliations—can be more valuable than message content for profiling, surveillance and psychological operations. Intelligence and cybercriminal groups routinely correlate such datasets with breached databases, open social media profiles and corporate leaks to create detailed dossiers on individuals and organizations.
Recommendations for users and service providers
For users, especially those in high-risk roles or jurisdictions, several practical steps can reduce exposure. WhatsApp’s privacy settings should be configured so that profile photo, “About” status, and last seen are visible only to contacts or to nobody, rather than to everyone by default. Sensitive information—employer names, political opinions, personal links and work email addresses—should not be placed in public statuses or profile names.
High-risk users and organizations can further improve operational security by using separate phone numbers for personal and professional communication, and by conducting regular reviews of publicly visible metadata across messaging apps and social networks.
For service providers, the study underscores the need to design discovery features with built-in abuse resistance: strong rate limiting, behavioral analysis, device fingerprinting, CAPTCHAs and anomaly detection tuned not only for classic account takeover, but also for large-scale enumeration and scraping. As demonstrated by both this WhatsApp case and previous incidents at major platforms, treating metadata as fully public is no longer tenable in a world of industrialized data harvesting.
