Researchers reveal WhatsApp enumeration flaw affecting 3.5 billions of potential accounts

Researchers reveal WhatsApp enumeration flaw affecting 3.5 billions of potential accounts

Researchers from the University of Vienna recently disclosed a technique that allowed them to enumerate 3.5 billion possible WhatsApp account numbers across 245 countries. Their method generated large phone number combinations and queried WhatsApp servers at speeds exceeding 100 million numbers per hour, bypassing expected rate limits without being blocked.

They collected data such as timestamps and public encryption keys, which allowed inferences about account age, operating system, and linked devices. Public profile photos and about text were also visible when users had set this information to be accessible to everyone, though no messages or contacts were exposed.

Meta clarified that the researchers did not obtain 3.5 billion real numbers but identified which generated numbers matched active WhatsApp accounts. The study also showed that nearly half of the numbers from the 2021 Facebook leak remained active on WhatsApp. Meta reported no evidence of malicious use, confirmed that the researchers deleted all data, and said server side mitigations began rolling out in September 2025 with more protections added in October. However, if that’s not enough you can always check our catalog of safer WhatsApp alternatives like Signal, Wire or Threema.

by Mauricio B. Holguin

du
na
ma
Myrano
duttyend found this interesting
MORE ABOUT: #Instant Messengers#Video Calling Apps#Encrypted Chat Apps#WhatsApp
WhatsApp iconWhatsApp
  849
  • ...

WhatsApp is a widely-used instant messaging platform offering free messaging without SMS fees. It supports seamless web sync and multimedia sharing, including group and video chats. Available on iPhone, Android, and desktop, WhatsApp features mobile-friendly design, end-to-end encryption, and a dark mode. It holds a user rating of 3. Top alternatives include Telegram, Signal, and Viber.

Related news

All news about WhatsApp »

External links

Comments

Breat
0

whatsapp = meta so facebook so by default the tool is a vulnerability/flaw

nns
0

Stallman was right yet again: proprietary software comes with vulnerabilities that anyone else are banned from understanding except its developers. They will patch the software only when it's too late (e.g. Discord icon Discord last month.) This ban is enforced by DMCA Section 1201 which criminalizes the ability to study and change the program as the end-users wish, directly attacking software freedom and accountability.

Security by obscurity is always an illusion. With Freedom 1, researchers can find and fix vulnerabilities faster, something that DMCA forbade.

Freedom-respecting WhatsApp icon WhatsApp "alternatives" (sic) here.

2 replies
city_zen

Only 14 links in the comment? You can do better 😁

benjamina1984

That's cool and all but good luck making everyone switch to SimpleX Chat or even install it because in reality nobody that they know uses it.

Gu