Using phone numbers generated with a custom tool built on Google’s libphonenumber system, the research team was able to query account details at an astonishing rate—more than 100 million accounts per hour. They reported exceeding 7,000 automated lookups per second without facing IP bans or meaningful rate-limiting measures. Their findings indicate that WhatsApp’s registered user base is larger than previously disclosed, contradicting the platform’s statement that it serves “over two billion” users globally.
The scraped records included phone numbers, account names, profile photos, and, in some cases, personal text attached to accounts. Over half of the identified users had public profile images, and a substantial portion contained identifiable human faces. About 29 percent included text descriptions, which researchers noted could reveal sensitive personal information such as sexuality, political affiliation, drug use, professional identities, or links to other platforms—including LinkedIn and dating apps.
The study also revealed that millions of accounts belonged to phone numbers registered in countries where WhatsApp is restricted or banned, including China, Myanmar, and North Korea. Researchers warn that such exposure could put users in those regions at risk of government monitoring, penalties, or arrest.
Beyond state-level dangers, experts stress that the harvested dataset could be misused by cybercriminals conducting targeted phishing campaigns, fraudulent messaging schemes, robocalling, and identity-based scams. The team emphasized that the persistence of phone numbers poses an ongoing risk: half of the numbers leaked during Facebook’s large-scale 2021 data scraping incident were still active in WhatsApp’s ecosystem.
Meta confirmed receiving the researchers’ disclosure through its bug bounty process. The company stated that it has since deployed updated anti-scraping defenses and thanked the researchers for responsibly deleting collected data. According to WhatsApp engineering leadership, the vulnerability did not expose private messages or encrypted content.
The researchers validated Meta’s claim, noting that the original enumeration method is now blocked. However, they highlighted that verifying security completeness remains difficult and emphasized the nearly year-long delay between initial reporting and effective remediation.
Whether this incident triggers systemic scrutiny or remains an isolated cautionary case, it underscores a critical reality: even services built around encryption can expose sensitive user metadata, creating new avenues for surveillance and exploitation.
