Cybersecurity researchers have revealed a serious glitch in WhatsApp that allowed them to access data linked to about 3.5 billion accounts worldwide.
The discovery raises privacy concerns and highlights risks tied to WhatsApp’s contact discovery system.
According to the Daily Mail, although users' messages remained encrypted, the researchers said they were able to harvest vast quantities of metadata.
“This allowed them to discover personal information, including phone numbers, location, type of device, and the age of someone's account,” the international news agency said.
They noted that a team from the University of Vienna and SBA Research carried out the study.
They exploited WhatsApp’s feature that checks whether phone numbers in a user’s address book are registered on the platform.
“By automating this process, they queried more than 100 million phone numbers per hour, across 245 countries,” the Daily Mail wrote.
The researchers said this exposed public data such as phone numbers, timestamps, public keys, and for users who had not restricted their privacy profile photos and “About” texts.
In their analysis, the Daily Mail wrote that they were also able to infer other metadata like the user’s operating system, how old the account is, and how many linked devices (like WhatsApp Web) a user has.
“This behaviour exposed the underlying flaw, which allowed us to issue effectively unlimited requests to the server and, in doing so, map user data worldwide,” said lead author Gabriel Gegenhuber from the University of Vienna.
According to the researchers, more than 57 per cent of the exposed accounts had a publicly visible profile photo, and 29 per cent included “About” text.
In some cases, the researchers also discovered security oddities around WhatsApp’s encryption; a small number of accounts shared public keys.
The Daily Mail noted that the researchers speculate this may stem from the use of unofficial or compromised versions of WhatsApp.
Crucially, the Daily Mail said the team notified Meta, WhatsApp’s owner, in April 2025, via its bug bounty program.
By October 2025, they noted that Meta had implemented stricter rate-limiting measures to curb the issue.
Meta responded by thanking the researchers, stressing that they had deleted the data they gathered, and asserting there was “no evidence of malicious actors abusing this vector.”
The company also noted, “User messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”
Despite the fix, the researchers warn that the issue
underscores a deeper challenge.
"Relying on phone numbers for identifying users at this scale may always be risky," they said.
Security experts said the findings are a stark reminder that "Even tools built for convenience like discovering contacts via phonebook can be abused."
"More concerningly, researchers discovered that half of the 500 million phone numbers exposed in the 2021 Facebook leak were still active on WhatsApp," Daily Mail said.
