Cybersecurity researchers have uncovered a major flaw in WhatsApp that allowed them to access data linked to an estimated 3.5 billion accounts globally, raising fresh concerns about user privacy on the world’s most popular messaging app.
According to a report by the Daily Mail, the researchers stressed that WhatsApp messages remained fully encrypted.
However, they were still able to collect massive amounts of metadata — information that can reveal sensitive personal details without exposing message content.
The team from the University of Vienna and SBA Research discovered the issue through WhatsApp’s contact discovery feature. This tool checks a user’s phonebook to identify which contacts are registered on the platform.
By automating the process, the researchers said they were able to query more than 100 million phone numbers every hour across 245 countries.
Through those queries, they harvested publicly available data, including phone numbers, timestamps, public keys, and — for users who had not adjusted their privacy settings — profile photos and “About” descriptions.
Their analysis also allowed them to infer additional metadata such as a user’s location, device type, operating system, how old their WhatsApp account was, and how many linked devices they used.
Lead researcher Gabriel Gegenhuber said the vulnerability allowed them to send “effectively unlimited requests” to WhatsApp’s servers, creating a map of user data worldwide.
He noted that more than half of the exposed accounts had publicly visible profile photos, while nearly 30 per cent displayed “About” texts.
The researchers also spotted unusual encryption issues, including rare cases where users appeared to share the same public key — something they believe may be caused by unofficial or compromised versions of WhatsApp.
The team reported the flaw to Meta, WhatsApp’s parent company, in April 2025 through the company’s bug bounty program.
By October 2025, Meta had tightened rate limits to prevent the type of mass data harvesting the researchers conducted.
In a statement, Meta thanked the researchers and confirmed that the collected data had been deleted.
The company also insisted there was “no evidence of malicious actors abusing this vector” and emphasised that user messages remained secure thanks to WhatsApp’s end-to-end encryption.
Still, the researchers warned that the incident highlights a bigger structural problem: relying solely on phone numbers to identify users on such a massive platform carries inherent risks.
Cybersecurity experts echoed the concern, saying that even convenience-driven tools like phonebook syncing can become vulnerable when used at scale.
The Daily Mail added that the researchers found half of the phone numbers leaked in Facebook’s major 2021 data breach were still active on WhatsApp, further underscoring long-term privacy challenges.
WhatsApp remains the world’s most widely used messaging platform, with more than three billion users globally and an estimated 2.5 to 2.78 billion monthly active users — representing more than half of all messaging app users worldwide.
