A new international research study has revealed a long-standing privacy flaw in the WhatsApp contact discovery feature that allowed attackers to enumerate and confirm the active phone numbers of 3.5 billion users worldwide. Conducted over six months across 245 countries, the study exposes one of the largest data exposures ever observed in a consumer messaging platform — despite repeated warnings to Meta dating back nearly a decade.
The vulnerability exploited a simple convenience feature: when a user enters a phone number, WhatsApp checks whether it corresponds to an active account. Because the rate-limits on this process were extremely loose, researchers found they could automate queries at over 100 million checks per hour, effectively mapping massive portions of WhatsApp’s global user base.
A Global Privacy Gap Hidden in Plain Sight
WhatsApp’s design meant that an attacker could verify whether a number was active and retrieve public-facing profile information like display names, photos, “about” messages, and business metadata. For 29.3 percent of enumerated users, the “about” text contained sensitive personal or political details — creating dangerous overlaps with identity theft, phishing, SIM-swap attacks, and doxxing.
The researchers also discovered 2.9 million key-reuse collisions, including identity key and prekey repetitions that, if exploited through modified or unofficial WhatsApp clients, could degrade encryption guarantees. Around twenty U.S. phone numbers displayed an all-zeroes public key, suggesting either a broken implementation or malicious use.
WhatsApp Business accounts represented nearly 9 percent of exposed entries. Since these profiles often include shop names, addresses, catalogues, and automated responses, their exposure significantly amplifies social engineering risks.
Meta Responded Years Late — After Repeated Warnings
Meta acknowledged the issue in April 2025 through its bug-bounty program and deployed stricter rate limits six months later. Researchers stressed that while messages remained encrypted, WhatsApp’s enumeration logic had been flagged as early as 2017.
Despite Meta’s assurances that no malicious campaigns were detected, the report criticizes the platform for allowing such a high-impact flaw to persist for nearly eight years.
Compounding the risk, the exposed dataset overlaps heavily with past leaks, including a large 2021 incident involving 500 million Facebook-linked numbers — many of which were still active on WhatsApp during this study.
Uneven Risks for Users — With Some Groups Far More Vulnerable
The exposure has dire implications for users in restrictive regions, including China, Iran, and North Korea, where using WhatsApp may violate local laws. For such users, enumeration could enable surveillance or political targeting.
The study highlights a broader concern: global messaging apps are increasingly vulnerable when convenience features are deployed without strict guardrails. Enumeration isn’t a sophisticated attack — it is simply a consequence of WhatsApp answering a question that should never have been exposed at scale.
Cybersecurity experts advise users to review privacy settings, restrict visibility of profile details, remove sensitive “about” texts, and monitor for unusual login or verification attempts.
