Researchers in Austria reveal a WhatsApp loophole that enabled scraping of 3.5B phone numbers, plus many photos and statuses; rate limits came in Oct 2025.
© E. Vartanyan
Austrian researchers say they have uncovered a serious issue in WhatsApp: the service effectively allowed anyone to harvest the phone numbers of its entire 3.5 billion user base. And it didn’t require breaking in—simple, mechanical number checks through the web version were enough.
WhatsApp is built so that finding a contact takes nothing more than entering a phone number. The system immediately indicates whether the person is registered and shows any public profile details. The researchers took that everyday lookup and scaled it up, automating the process to test millions of numbers per hour.
In their experiment, they were able to collect the numbers of all users and also access profile photos for roughly 57% of accounts, along with text status messages for about 29% of users—essentially everything people had left open to the public.
The issue lingered for years: warnings about a similar vulnerability reached the developers back in 2017, yet rate limiting was introduced only in October 2025—many years during which users were potentially exposed. For a platform of this scale, the fix arrived conspicuously late.
The developers maintained that the data involved amounted to basic public information, visible only to the extent users chose to make it public. They also said they found no evidence of deliberate misuse of the weakness and that the researchers did not access any private data.