- WhatsApp has 3.5 billion active accounts worldwide that are at risk of metadata theft
- Contact detection error allowed Complete list of global phone numbers
- Millions of encryption keys were reused across multiple accounts, challenging security assumptions.
Following a potentially disturbing discovery, WhatsApp users may need to take additional steps to protect their account information.
NASTY study Researchers from the University of Vienna found that the app’s contact recognition system allowed it to collect a large amount of data about WhatsApp users on an unprecedented scale due to insufficient speed limits at global endpoints.
Researchers were able to collect massive amounts of phone numbers, public profile photos, bank statement text, company identifiers and key information from start to finish.
How large-scale data was collected
The dataset included users from countries where WhatsApp is banned, including China, Iran, Myanmar and North Korea, which could allow the identification of people in regions subject to strict government surveillance and limited access to encrypted tools.
The research team generated more than 60 billion possible cell phone numbers in more than two hundred countries using automated number generation tools.
They then verified each number using reverse engineering protocols with WhatsApp servers.
The method was based on custom open-source clients that interrogated WhatsApp’s infrastructure directly and not through official applications.
The process validated thousands of digits per second without failure and without repeating the enumeration problems previously documented in 2012 and 2021.
The data collected includes timestamps, device information, publicly available encryption keys, and metadata that helped map usage patterns around the world.
There have been millions of cases where encryption keys have been reused across accounts, even though each key must be unique.
Some keys were all zeros, indicating incorrect deployments by remote clients rather than the main application.
In a statement sent to Cyber insidersaid Nitin Gupta, vice president of technology at WhatsApp.
“We thank the researchers at the University of Vienna for their responsible collaboration and commitment to our bug support program. This collaboration has successfully identified a new enumeration technique that overcame our expected limitations and enabled the researchers to extract critical, publicly available information. We had already worked with advanced anti-scratch systems and this study played an important role in stress testing and confirmed the effectiveness of these instant defense researches.” deleted data collected in the study, and we did.” No evidence was found that malicious actors misused this vector. WhatsApp’s standard end-to-end encryption kept users’ messages private and secure, preventing researchers from accessing non-public data.
Meta claimed the messages remained secure, but researchers said public key reuse weakened the trust model behind end-to-end encryption.
The company introduced stricter price restrictions in October 2025 following the disclosure, and later fixed a separate issue on Apple devices that allowed viewing of unauthorized media content.
WhatsApp reached around 3.5 billion active accounts by early 2025, making it one of the most used communication platforms in history.
How to stay safe
- Limit what appears in public profile fields and avoid posting links in status messages.
- Use strong passwords and enable two-factor authentication for better account protection.
- Keep your antivirus software up to date to detect threats before they affect your account.
- Use identity theft protection services to check for suspicious activity or data breaches.
- Block unknown contacts and regularly monitor account activity for unusual behavior.
- Enable a firewall to prevent malicious network access and suspicious connections.
- Avoid unofficial WhatsApp clients and update the official app as soon as possible.