WhatsApp: Researchers create phone book with all 3.5 billion users

Security researchers from the University of Vienna and SBA Research have provided a disturbing demonstration of the possibilities for data collection on WhatsApp. The team managed to unmask all 3.5 billion users using the messenger's contact discovery feature. This feature is actually intended to check contacts from your own address book.

The researchers exploited a massive security vulnerability, which has since been closed. They discovered that the interface did not have sufficient rate limits for queries. In theory, this allowed them to look up 100 million phone numbers per hour. Complete phone number ranges were simply examined. The study was ultimately published on Github, and scientists will present further results and detailed analyses at the Network and Distributed System Security (NDSS) Symposium, which will take place in San Diego from February 23 to 27, 2026.

This study yielded an enormous database of approximately 3.5 billion active WhatsApp accounts worldwide. WhatsApp's API (application programming interface) provided publicly available metadata as soon as a number was identified as registered. This included profile pictures, status updates and information about when a user was last online. Technical details could also be gleaned, such as the distribution of operating systems. For example, the data shows that around 81% of users worldwide use Android, while iOS accounts for around 19%.

The researchers also compared this data with the massive Facebook data leak from 2021. 58% of the numbers leaked at that time are still active today. This illustrates just how valuable such massive datasets can remain, even years later. Even in countries with strict internet censorship and WhatsApp blocks, millions of active users were identified. 2,333,519 accounts with Chinese phone numbers were identified. Even in North Korea, at least five phone numbers were linked to a WhatsApp account.

Meta was informed of the vulnerability and has since responded by implementing strict rate limits, so mass queries at this speed should no longer be possible. While the company stated there is no evidence of third-party exploitation of the vulnerability, a complete review of such attempts in the past is technically almost impossible. The method itself is known in security circles, which is why previous, undetected use by other actors is at least a possibility.

Furthermore, a technical detail provides insights into WhatsApp's shadowy world. Under normal operation, each installation of the app generates a unique cryptographic key pair, which forms the basis for end-to-end encryption and ensures the device's identity. However, the researchers discovered clusters of phone numbers using the same public key, something that should be technically impossible when using the official app on physical devices. This key reuse strongly suggests the use of unofficial software. Such tools are frequently used in "click farms" or for marketing bots, where operators copy identical security identities to many different accounts, either for efficiency reasons or due to faulty implementation. This not only exposes fake accounts but also demonstrates that these unofficial clients can massively undermine the messenger's security architecture.