According to Wired, Austrian researchers from the University of Vienna discovered they could use WhatsApp’s contact discovery feature to extract 3.5 billion phone numbers by systematically checking every possible number combination. The team, including Aljosha Judmayer and Max Günther, found they could access profile photos for 57% of users and profile text for another 29% while checking roughly 100 million numbers per hour. They warned Meta about the vulnerability in April 2023, but the company didn’t implement proper rate-limiting protections until October. Meta’s WhatsApp engineering VP Nitin Gupta described the exposed data as “basic publicly available information” and stated they found no evidence of malicious exploitation. The researchers called this potentially “the largest data leak in history” had it not been conducted responsibly.
How the flaw worked
Here’s the thing about WhatsApp’s design: it makes finding contacts incredibly easy. Too easy, as it turns out. The platform automatically shows you when someone’s phone number is registered, along with their profile picture and “about” text if they haven’t set those to private. That’s convenient when you’re adding your friend’s number. But when researchers automated the process, they could basically query WhatsApp’s servers for every possible phone number sequence. And WhatsApp let them do it at an insane pace – 100 million checks per hour. That’s the kind of scale that turns a useful feature into a massive data harvesting operation.
Meta’s response
Now, Meta’s defense here is worth examining. They’re calling this “basic publicly available information” and emphasizing that no private messages were exposed thanks to end-to-end encryption. But that feels like missing the point, doesn’t it? Having 3.5 billion phone numbers correlated with active WhatsApp accounts – and in many cases, with names and photos – creates a pretty comprehensive database. The fact that researchers had warned about similar issues back in 2017 makes you wonder why it took until 2023 to implement proper rate limiting. It’s good they fixed it eventually, but six years is a long time for a vulnerability affecting billions.
Broader implications
This incident reveals something fundamental about platform security. Features designed for convenience often create massive attack surfaces. WhatsApp wanted to make onboarding seamless, but that same simplicity enabled what could have been history’s biggest data scrape. And honestly, if academic researchers could pull this off so easily, what about sophisticated bad actors? The researchers published their methodology in a detailed paper, which means the cat’s out of the bag about how these scraping techniques work. Other messaging platforms should be looking very carefully at their own contact discovery systems right about now.
What comes next
Looking forward, we’re probably going to see more of these large-scale scraping incidents as platforms balance usability against security. The scary part? This wasn’t some complex zero-day exploit – it was basically using a feature as intended, just at industrial scale. Meta says they’ve implemented “industry-leading anti-scraping systems,” but we’ve heard that before. The real test will be whether other researchers can still find ways to extract data at scale. Meanwhile, users should probably check their privacy settings and assume that if a feature makes something easy for you, it might make it easy for everyone else too.
