A new security study has revealed that the widely-used messaging platform WhatsApp was vulnerable to mass enumeration of user phone numbers, potentially exposing 3.5 billion accounts across the globe
What Went Wrong
Researchers from the University of Vienna and associated security teams discovered that WhatsApp’s “contact discovery” function—which allows users to check whether a phone number has a WhatsApp account—could be abused at very large scale.
By systematically submitting billions of phone-number queries, they were able to identify active accounts and, for a large portion, public profile photos and status text. Their findings include:
- Over 3.5 billion distinct WhatsApp user accounts enumerated worldwide.
- For approximately 57% of those accounts, profile pictures (when publicly set) were also accessible.
- For about 29%, public profile status text (“About” field) could be discovered.
- The enumeration exploited a lack of rate-limiting, allowing the researchers to test tens of millions to hundreds of millions of numbers per hour from a single server.
Meta / WhatsApp’s Response
Meta Platforms, the parent company of WhatsApp, responded by saying the data exposed was “basic publicly-available information,” such as phone numbers and public profile elements, and indicated they found no evidence of malicious exploitation.
Meta noted that as of October 2025 they have implemented stricter rate-limiting to prevent large-scale enumeration.
Why the Issue Matters for Pakistan and Beyond
- Privacy at scale: With over 3 billion monthly active users reported for WhatsApp globally, this issue touches a significant portion of the world’s mobile communications.
- Target-rich environment: In countries like Pakistan where WhatsApp is widely used both for personal and business communication, exposed phone numbers plus public profile data increase risk of spam, targeted scams, social engineering and identity threats.
- Risk in restricted jurisdictions: The researchers found active WhatsApp accounts in countries where the platform is banned (e.g., China, Myanmar, Iran) — meaning enumeration could aid surveillance of dissidents or blocked communities.
- Design flaw over time: The vulnerability stemmed from a feature designed for ease of finding contacts. Researchers pointed out that Meta had been warned in 2017 about similar enumeration risks, yet the issue remained unmitigated for years.
What Users & Organisations Should Do
- Change privacy settings: Users should restrict who can see their profile picture, status and “about” text. Even if phone numbers are known, limiting metadata helps.
- Use alternate identifiers: Whenever supported, move away from using phone-number as the only public identifier, especially for business or public-facing accounts.
- Remain vigilant for spam/phishing: With numbers potentially selectable en-masse, risk of targeted scam campaigns increases — organisations should educate employees around suspicious messages.
- For businesses using WhatsApp-based services: review any integration that exposes the business’s or customers’ phone numbers and ensure privacy design is strong.
While the flaw has been mitigated, the incident underscores a broader message: even highly trusted, end-to-end encrypted platforms can leak metadata at scale via unintended avenues. For developers and security teams, the takeaway is to treat phone numbers as identifiers with care, implement stricter rate-limiting on enumeration logic, and monitor public-facing discovery features aggressively.
For regulators and policymakers in Pakistan and other markets, this could trigger revisions in telecom and data-privacy rules, especially around how mobile platforms protect metadata and restrict large-scale data harvesting.
