IT-security researchers from the University of Vienna and SBA Research identified and responsibly disclosed a massive privacy weakness in WhatsApp’s contact search mechanism, which allowed the enumeration of 3.5 billion accounts. In collaboration with researchers, META has since addressed and mitigated the problem. The study underscores the importance of continued, independent security research on widely used communications platforms and highlights the risks associated with the centralization of instant messaging services. A preprint of the study has now been published, and the results will be presented at the Network and Distributed Systems Security (NDSS) Symposium in 2026.
WhatsApp’s contact search mechanism can use a user’s address book to find other WhatsApp users by their phone number. Using the same underlying mechanism, the researchers demonstrated that it is possible to query over 100 million phone numbers per hour through WhatsApp’s infrastructure, confirming over 3.5 billion active accounts in 245 countries. “Normally, a system should not respond to such a high number of requests in such a short time – especially when originating from a single source,” explains lead author Gabriel Gegenhuber of the University of Vienna. “This behavior exposed an underlying flaw, which allowed us to issue effectively an unlimited number of requests to the server and, in doing so, map user data around the world.”
The accessible data items used in the study are those that are public to anyone who knows the user’s phone number and include: phone number, public key, timestamp, and, if set to public, about text and profile picture. From these data points, the researchers were able to extract additional information, allowing them to estimate the user’s operating system, the age of the account, as well as the number of companion devices connected. The study shows that even this limited amount of data per user can reveal important information at both the macro and individual levels.
The study also revealed several broad insights:
- Millions of active WhatsApp accounts were identified in countries where the platform was officially banned, including China, Iran and Myanmar.
- Population-level insights into platform usage, such as the global distribution of Android (81%) versus iOS (19%) devices, regional differences in privacy behavior (for example, use of public profile pictures or “About” taglines), and variations in user growth in different countries.
- Some cases showed reuse of cryptographic keys on different devices or phone numbers, pointing to potential vulnerabilities or fraudulent use in non-official WhatsApp clients.
- Of all the phone numbers exposed in the 2021 Facebook data leak of 500 million phone numbers (due to a scraping incident in 2018), nearly half were still active on WhatsApp. This highlights the lasting risks of leaked numbers (for example, being targeted in scam calls) associated with such exposure.
The study did not involve access to message content, and no personal data was published or shared. All retrieved data were removed by the researchers prior to publication. Message content on WhatsApp is “end-to-end encrypted” and is not affected at any time. “This end-to-end encryption protects the content of the messages, but not necessarily the associated metadata,” explains last author Aljoscha Judmayer of the University of Vienna. “Our work shows that privacy risks can also arise when such metadata is collected and analyzed on a large scale.”
“These findings remind us that even mature, widely trusted systems can have design or implementation flaws that can have real-world consequences,” says lead author Gabriel Gegenhuber of the University of Vienna.
“Based on our previous findings on delivery receipts and key management, we are contributing to a long-term understanding of how messaging systems evolve and where new risks arise,” says co-author Maximilian Günther from the University of Vienna.
“We are grateful to the researchers at the University of Vienna for their responsible partnership and diligence under our bug bounty program. This collaboration successfully identified a novel computation technique that exceeded our intended limitations, allowing researchers to scrape basic publicly available information. We were already working on industry-leading anti-scraping systems, and this study was helpful in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, as part of the study, the researchers We have securely deleted the data collected, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure due to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to researchers”, says Nitin Gupta, vice president of engineering at WhatsApp.
Ethical conduct and disclosure
The research was conducted in accordance with strict ethical guidelines and responsible disclosure principles. The findings were immediately reported to WhatsApp’s operator Meta, which has implemented countermeasures (e.g., rate-limiting, strict profile information visibility) to close the identified vulnerabilities. The authors argue that transparency, academic scrutiny, and independent testing are essential to maintaining trust in global communications services. They emphasize that active collaboration between researchers and industry can significantly improve user privacy and prevent abuses.
research context
The publication represents the third study by researchers at the University of Vienna and SBA Research examining the security and privacy of popular instant messengers such as WhatsApp and Signal. The team investigates how design and implementation choices in end-to-end encrypted messaging services can inadvertently expose user information or weaken privacy guarantees.
Earlier this year, researchers published “Careless Whispers: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers” (awarded the Best Paper Award at RAID 2025), which demonstrated how silent pings and their delivery receipts can be misused to infer user activity patterns and online behavior on WhatsApp and similar messaging platforms. Later the same year, “Prikey Pogo: Investigating Security and Privacy Issues in WhatsApp’s Handshake Mechanism” (presented at USENIX WOOT 2025) analyzed the cryptographic foundations of WhatsApp’s prikey distribution mechanism, revealing implementation weaknesses of the signal-based protocol.
“Based on our earlier findings about delivery receipts and key management, we are contributing to the long-term understanding of how messaging systems evolve, and where new risks emerge.” Maximilian Günther (University of Vienna) said.
The current study, “Hey There! You’re Using WhatsApp: Enumeration of Three Billion Accounts for Security and Privacy”, extends this line of research to a global scope, showing how contact search mechanisms can inadvertently allow large-scale user enumeration at unprecedented magnitudes. It will appear in the proceedings of the NDSS Symposium 2026, one of the leading international conferences on computer and network security.
Publication: Gabriel K. Gegenhuber, Philipp E. Frenzel, Maximilian Günther, Johanna Ulrich, and Aljosha Judmayer: Hey! You’re using WhatsApp: Counting three billion accounts for security and privacy. In: Network and Distributed Systems Security Symposium (NDSS), 2026. Preprint available here.