3.5 Billion Accounts: Complete WhatsApp Directory Retrieved and Evaluated
Vienna researchers retrieved all WhatsApp numbers. The 3.5 billion profiles represent the largest data leak in history—and it's worse than you might think.
(Image: DenPhotos(Shutterstock.com)
The entire member directory of WhatsApp was available online unprotected for retrieval. Austrian researchers were therefore able to download all phone numbers and other profile data—including public keys—without encountering any obstacles. They found more than 3.5 billion accounts. Measured by the number of people affected, this is likely the largest data leak of all time. Part of the research group has already dealt with WhatsApp several times and, for example, determined what WhatsApp reveals despite encryption and discovered how an attacker can downgrade WhatsApp encryption. Nevertheless, WhatsApp operator Meta Platforms turned a deaf ear to the new research findings for a year.
“Well, scientists now know a lot of phone numbers,” the responsible parties might have thought, “So what?” Repeated warnings submitted by the group from the University of Vienna and Austrian SBA Research to WhatsApp starting in September 2024 were acknowledged with confirmations of receipt but soon filed away. Only when the researchers submitted a draft of their paper twice and its uncoordinated publication was imminent did Meta wake up: a surprising amount can be read from the data, and for some users, it can be life-threatening.
First, there is information that is sensitive to Meta Platforms itself, for competitive and regulatory reasons: how many WhatsApp users are there in which country, how are they distributed across Android and iOS, how many are business accounts, what is the churn rate (customer attrition), and where are there obvious large-scale fraud centers. And then there are several classes of data that can be uncomfortable to life-threatening for users -- even though the researchers did not transmit any data packets to or from end devices (but only to WhatsApp servers) and did not intercept any content or metadata from WhatsApp communication.
Meta classifies the researchers' approach as "scraping" and points out that the data gathered has been securely deleted. "We have found no evidence of malicious actors abusing this vector" and private chats haven't been compromised, the company said in a statement provided to heise online.
"This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information.We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses.", says Nitin Gupta, VP of Engineering at Whatsapp. "As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers."
WhatsApp Ban Ineffective
As of December 2024, WhatsApp was banned in the People's Republic of China, Iran, Myanmar, and North Korea. Nevertheless, the researchers found 2.3 million active WhatsApp accounts in China, 60 million in Iran, 1.6 million in Myanmar, and five (5) in North Korea at that time. This handful might have been set up by the state apparatus itself, but for residents of China and Myanmar, it is highly risky if authorities get wind of illegal WhatsApp use. And this happens easily when the entire number range can be queried quickly.
Videos by heise
The 60 million WhatsApp accounts with Iranian phone numbers statistically corresponded to two-thirds of the population. The ban was obviously not effective there, and it was lifted on Christmas Eve 2024. Three months later, there were already 67 million Iranian accounts. The number of those using the same WhatsApp account on more than one device has increased significantly. During the ban, this was apparently too risky, but if WhatsApp is not illegal, one might want to use it on their work computer as well.
Profile Pictures and Info Field
Approximately 30 percent of users have entered something in the “Info” field of their profile, and some reveal a lot: political views, sexual or religious orientation, confessions of drug abuse are found there, as are drug dealers who advertise their product range in this very field. Beyond that, the Vienna researchers found information about the user's workplace, up to hyperlinks to profiles on social networks, on Tinder or OnlyFans. Email addresses were of course included, including from domains like bund.de, state.gov, and various from the .mil zone. This is a feast for doxxers and other attackers, but also for spammers and simple fraudsters.
In addition, WhatsApp revealed the time of the most recent change—not only of the info field but also of profile photos, which 57 percent of all WhatsApp users worldwide have uploaded and defined as visible to everyone, including US government officials. For the North American area code +1, the researchers downloaded all 77 million profile pictures visible to everyone—a proud 3.8 terabytes in total. In a random sample of half a million images drawn from this, a facial recognition routine found a human face in two-thirds of cases. The easy accessibility of the photos would therefore have allowed the compilation of a database that, through facial recognition, often leads to the phone number and vice versa. Even profile pictures without faces can be talkative: sometimes car license plates, street signs, or landmarks are depicted.
Further information is provided by the display of how many devices are registered under a WhatsApp account (up to five). From the continuously assigned IDs, it can be inferred whether these additionally used devices are frequently changed or remain stable.
