TL;DR: The research highlights the trade-offs between user convenience and privacy, particularly for products with massive global audiences that rely on streamlined onboarding flows. Although Meta has responded to the findings and subsequently strengthened its controls, the researchers' ability to access private information for billions of users underscores the inherent risks of large-scale contact-discovery systems.
WhatsApp's explosive international growth has long relied on its simple sign-up and contact-discovery process. Allowing users to connect by entering a phone number provides instant access to contacts and synchronized messaging across devices – features that have helped the app achieve massive global reach.
This design, however, leaves the service vulnerable to enumeration, in which an attacker cycles through large blocks of phone numbers to determine which ones correspond to registered accounts.
In a recent study, Austrian researchers from the University of Vienna automated this process by exploiting WhatsApp's web application interface, which at the time lacked sufficient rate-limiting controls. By systematically submitting large sequences of phone numbers, their system identified more than 3.5 billion active WhatsApp accounts.
In many cases, enumeration also surfaced users' profile images and, for a substantial share, publicly visible status texts. No hacking or circumventing of protections was required – the data was accessible by default due to WhatsApp's onboarding and account-discovery design.
The researchers found that roughly 57 percent of enumerated users had profile photos, while about 29 percent had publicly visible "about" text. Their country-by-country breakdown showed significant differences in privacy settings: in the United States, 44 percent of accounts displayed profile images and 33 percent exposed non-private status text.
The percentages were even higher in countries such as India and Brazil, where WhatsApp is more culturally ubiquitous and privacy settings are less commonly adjusted. In India, 62 percent of nearly 750 million enumerated accounts displayed public images, compared with 61 percent in Brazil.
The findings reinforce long-standing privacy concerns: that even limited "public" data can enable large-scale profiling or targeting by spammers, scammers, or hostile governments. The enumeration identified millions of accounts in regions where WhatsApp is officially banned, including China and Myanmar – places where simply having the app installed has, in some cases, triggered government scrutiny or detention.
WhatsApp's lack of robust rate-limiting on its web client was central to the study's success. The system handled more than 100 million verification checks per hour, a scale not previously demonstrated. The approach exploited no vulnerabilities and relied entirely on intended functionality.
Other platforms have prevented similar mass scraping through server-side throttling, but WhatsApp did not implement meaningful barriers at the time the research was conducted.
Meta introduced stronger controls only after the researchers disclosed their findings and provided Meta with a copy of the dataset, which Meta later requested be deleted. Improved safeguards were deployed roughly six months later, leaving billions of user records potentially accessible for months or longer.
This is not the first time WhatsApp enumeration has been flagged. A similar issue was documented by a Dutch researcher in 2017, but Meta, then Facebook, responded by emphasizing user-controlled privacy settings rather than implementing deep backend changes.
Meta's public response to the Austrian study stressed that no messages were exposed, citing WhatsApp's end-to-end encryption, and said the exposed information was "publicly available" depending on user settings. The company added that it was already improving anti-scraping systems and credited the academic research with helping validate those measures.
The researchers, however, dispute Meta's characterization, noting that they encountered no meaningful restrictions and were able to scrape the exposed data using only documented features. They argue that rate-limiting, while essential, can never fully eliminate the risk of mass harvesting.
Meanwhile, Meta is testing a username-based sign-on system, which could help reduce the likelihood of similar exposures in the future.