The world's most popular messaging ecosystem has suffered a setback: a vulnerability in WhatsApp's contact discovery system allowed automated verification of which phone numbers had active accounts, affecting 3.500 billion records in 245 countries.
Although the end-to-end encryption While not compromised, the finding demonstrates how metadata can reveal more than meets the eye. The parent company, Meta, introduced countermeasures and tightened the “rate limiting” after being alerted by the investigation team.
What exactly happened?
A group of researchers from the University of Vienna and the Vienna University of Technology tested the contact discovery function by sending massive sets of automatically generated numbers to the WhatsApp API, confirming sign-ups at a rate of up to 7.000 queries per second and session.
The tests were conducted from a single IP address and with five accounts without automatic blocking, allowing for the consolidation of a global census of users that exceeded public figures historically reported by the service.
In addition to binary verification (is/is not on WhatsApp), the team used complementary interfaces to obtain non-sensitive account data, always within the visible information, such as timestamps, profile picture, and technical indicators of the environment.
What information was exposed
The investigation did not access messages or private content, but it did access visible metadata linked to each number: predominant operating system, approximate age, number of linked devices and, when the user had not restricted it, profile picture and the text of the “About” section.
With the aggregated analysis, researchers estimate that Europe represents around 18% of the user base of WhatsApp. In the continent, Android predominates (64%) compared to iOS (36%), while Asia would be the largest market, with around 47% of the total.
The team also detected striking technical patterns, including cases of public key repetition associated with unofficial clientsThis does not break WhatsApp's encryption but does pose added risks for those who use third-party applications.
WhatsApp response and changes applied
The researchers reported the problem responsibly and collaborated with the company to implement measures. Meta strengthened its defenses against automation and applied stricter speed limits and reviewed controls to detect large-scale scraping attempts.
The company stated that it had observed no evidence of malicious abuse of this vector and stressed that the visible data depended on the privacy settings of each userThe researchers deleted the datasets after completing the analysis.
The case adds to previous warnings about using phone numbers as the primary identifier, and raises questions Is WhatsApp really secure?It was already suggested in previous years that, without additional safeguards, the mass enumeration It could become viable.
Risks and how to protect yourself
The main threat is the use of confirmed numbers for spam, smishing, or phishing campaignsas well as the creation of databases for commercial or surveillance purposes.
If you use WhatsApp in Spain or any other EU country, it's a good idea to strengthen your privacy settings: Limit who can see your profile picture and the "About" text, check "Latest" and "Last Seen", disable data visibility to strangers and avoid unofficial clients.
Activate the two step verificationBe wary of messages asking for codes or personal information, and block unknown numbers if you suspect anything. If you encounter an attempted impersonation, report it within the app and, if necessary, complaint to the AEPD or consumer organizations.
Impact in Spain and Europe
In a market like Spain, where WhatsApp is ubiquitous, the ability to enumerate accounts on a large scale increases the risk of automated calls, spam lists, and fraud segment-driven.
For European administrations and companies, the incident reinforces the need for internal controls and respect for the framework of GDPRminimizing data, applying "privacy by default" principles, and auditing the use of messaging channels in sensitive communications. The episode also highlights risks such as mass espionage and the importance of clear policies.
Looking ahead, reducing reliance on phone numbers as identifiers—for example, through usernames—and extending anti-enumeration controls More aggressive measures can limit these types of abuses without sacrificing ease of use.
The episode offers several lessons: a user-friendly design can open the door to large-scale abuse, metadata matters (a lot), and collaboration between academia and industry accelerates corrective action; with the measures already in place, it's now up to the users. adjust your privacy settings Institutions should now demand good practices to avoid relapses.
