A new research paper is boldly claiming to have scraped the personal data of 3.5 billion WhatsApp users. The researchers from the University of Vienna (via The Register) say that the data acquired would, "to our knowledge, classify as the largest data leak in history, had it not been collated as part of a responsibly-conducted research study." But this "leak" may not quite be what it seems.
The researchers claim to have scraped phone numbers, timestamps, "about" text, profile pictures, and public keys for E2EE encryption, the release of which, "would entail adverse implications to the included users."
So, what exactly is going on here and if you use WhatsApp do you need to be worried? This research relies on the fact that WhatsApp allows some user details to be acquired by inputting phone numbers. That includes the profile photos already mentioned. However, the key point is that users can opt to keep most of that data and profile images either entirely private or restricted to known contacts.
Perhaps the only real surprise here is that the WhatsApp platform does not implement any explicit rate limits for querying phone numbers (at least it didn't before this research was conducted, more on which in a moment). The consequence is that the Austrian research team was able to achieve a 100 million-per-hour user query rate and, "confirm 3.5 billion phone numbers registered on WhatsApp (exceeding the 'more than 2 billion people' officially stated by WhatsApp)."
As an interesting side note, the research revealed that 57% of WhatsApp numbers had freely accessible profile photos, of which two thirds contain detectable human faces. he researchers claim this can be used to build a reverse phonebook based on user images.
Anywho, the main question here is whether this really represents a data breach. In the simplest terms, the researchers were merely using the platform as intended by its owner, Meta. WhatsApp explicitly allows users to input phone numbers to check for WhatsApp accounts and, as already discussed, the data in question that can be removed or restricted by users.
For what it's worth, Meta has responded to the research with a series of mitigations. "In this study, academic researchers generated a list of phone numbers, checked if they are registered on WhatsApp and compiled basic public information that people have made available to “everyone” in a novel manner that exceeded our intended limits. We have rolled out new mitigations, including some of our industry’s leading anti-scraping systems we’d been already working on prior to this study. We’re grateful to the researchers for their collaboration on mitigation testing and hardening our defenses as a result," Meta said.
As to the specifics, there is now a phone number query rate limit for individual user accounts, though this does not apply to WhatsApp business accounts, "to help businesses be recognized and build trust with their customers on WhatsApp." Retrieving profile pictures also no longer returns a timestamp of when the image was last updated.
A "corner case" on Android clients related to logouts and phone number changes, which led to the omission of fresh key generation during subsequent account setups has likewise been addressed.
As for what the average user might conclude from all this, well, probably what you already knew. If you don't want your profile image and other details to be searchable on WhatsApp, make them private.
Best graphics card 2025
All our current recommendations
