WhatsApp users should review their privacy settings following a study by researchers at the University of Vienna that revealed some settings. The team discovered a weakness in the app’s contact-discovery process that enabled them to collect user data at scale.
The researchers tested over 60 billion potential phone numbers against WhatsApp’s servers. Because the system lacked strict speed limits on these requests, the team could verify thousands of numbers per second without getting blocked. This process enabled them to harvest public profile photos, account status lines, business tags, and technical details associated with encryption keys.
This exposure poses serious risks for users in countries where WhatsApp is banned, such as China, Iran, and North Korea. The data makes it easier to identify individuals in these regions, potentially exposing them to state monitoring.
Beyond basic profile info, the study found alarming issues with the app’s security infrastructure. The team discovered millions of cases in which encryption keys—intended to be unique to each account—were reused. Some keys consisted entirely of zeros. The researchers attributed this largely to users accessing the platform through modified, third-party apps rather than the official client.
Meta, WhatsApp’s parent company, has since addressed the vulnerability. Nitin Gupta, VP of Engineering at WhatsApp, thanked the university team for their work through the company’s Bug Bounty program. He confirmed that the researchers securely deleted the data and that Meta found no evidence of malicious actors using this specific method.
“User messages remained private and secure thanks to WhatsApp’s default end-to-end encryption,” Gupta stated, noting that the loophole only exposed publicly available information, not private chats. Meta implemented stricter rate limits in October 2025 to prevent this type of mass scraping in the future. With the platform now serving an estimated 3.5 billion active accounts, maintaining strict security protocols remains a massive challenge.
