A team from the University of Vienna found they could use WhatsApp’s “add contact” feature to check tens of millions of numbers per hour, harvesting roughly 3.5 billion identities including numbers, profile photos and status text.

The methodology did not bypass encryption or backend controls, it merely exploited the lack of robust rate-limiting in the phone-number lookup process.

Meta’s Response and Remaining Risk

Meta stated that it had been working on anti-scraping tools and considered the data exposed as “publicly available information.” It said the vulnerability was fixed by introducing stricter query limits on number-checking features.

However, the researchers warn that the vendor only acted after being alerted, the flaw dated back to 2017, and if malicious actors had used the technique, the exposure would have been among the largest in digital-privacy history.

WhatsApp is used by over two billion people worldwide and in regions with low regulatory digital-privacy enforcement. A bulk enumeration of its user-base creates a massive target repository for spam, phishing, impersonation or worse.

Even though message content remained encrypted and unaffected, the exposure of metadata (numbers, photos, statuses) erodes a key layer of user anonymity and may feed downstream threats across identity and security ecosystems.

Lessons and Future Considerations

This incident shows that even mainstream, end-to-end encrypted platforms can leak large volumes of user data through ancillary features.

The reliance on phone numbers as primary identifiers, especially when paired with lack of query-rate controls, appears increasingly unsuited for services at global scale.

The move by Meta to limit number-lookup queries may reduce mass-harvest risk, but experts say deep structural change, such as user-name systems or token-based discovery, is likely required for long-term protection.

Final Words

The WhatsApp exposure leaves open questions about how widely the flaw may have been exploited before researchers reported it. Privacy regulators are expected to assess whether Meta’s response aligns with emerging data-protection standards, particularly in regions where WhatsApp is a primary communication channel.

Security analysts say the episode will likely influence how major messaging platforms design contact-discovery features going forward, with greater attention on rate-limits, metadata protection and alternative identity systems.

For users, the long-term concern is whether large-scale enumeration weaknesses remain hidden in other platforms that rely on phone numbers as universal identifiers.

The impact of this vulnerability will become clearer as researchers continue examining related data-harvesting campaigns and Meta releases further clarity on safeguards.