3.5 Billion WhatsApp Accounts Identified Through Enumeration
A recent study by IT-security researchers at the University of Vienna and SBA Research examines the ease of identifying WhatsApp users and the information the platform exposes. The findings show that, despite end-to-end encryption, attackers can still learn a lot about users by probing WhatsApp’s servers.
Billions of Accounts Checked
The researchers tested more than 63 billion potential phone numbers across 245 countries and discovered 3.5 billion active WhatsApp accounts. They used a reverse-engineered API and did not face rate limits. In practice, this means anyone with little technical skill can repeat this method. The team sent all requests from one server and never tried to hide their activity.
WhatsApp Use per Capita: At 95 % in South America and 80 % in Europe, a majority of citizens have an active WhatsApp account. (Figure 3 in the paper)
What Attackers Can See?
When someone checks a number, WhatsApp returns useful public data. The paper shows that a simple lookup can reveal:
- Whether the number is registered
- The profile picture URL
- The “about” text
- Device details
- Public encryption keys
This data looks harmless at first. Yet patterns across millions of accounts reveal trends about countries, device types, and even user habits. For example, the study shows that more than half of all WhatsApp users have a public profile picture, and 29 percent share an “about” text.
How Can This Be Abused?
Attackers can automate the similar steps the researchers used. They only need a phone number list and a script that talks to WhatsApp’s backend. Because WhatsApp did not enforce strict rate limits, attackers can send thousands of queries per second from a single server.
When the server receives a phone number, it returns structured data. This includes registration status, the profile picture URL, the “about” text, device lists, and public encryption keys. An attacker can store this output in a database and continue scanning the next batch. At scale, this builds a full map of the WhatsApp population.
Attackers can then filter or cluster the results. They can target users with older devices, link business accounts, or find groups with similar “about” texts. With timestamps and key updates, they can track account activity. With repeated scans, they can monitor churn or new accounts and adjust scams or campaigns accordingly.
How the Researchers Did the Enumeration?
The team used a reverse-engineered WhatsApp Web client, documented in the paper. This client talks directly to WhatsApp’s XMPP API. They authenticated five sessions by scanning QR codes with real WhatsApp accounts. Then they sent large batches of numbers, up to 50,000 in one request, to the endpoint that checks if a number is on WhatsApp.
Overview of WhatsApp Endpoints and Enumeration Speed (Table 1 in the paper)
The study utilized a single university server and did not conceal its IP address. Even so, they reached the following speeds:
- 7,000 numbers per second for registration checks
- 3,000 per second for profile data
- 2,000 per second for encryption keys
They first generated 63 billion valid numbers for all countries. Then they ran the crawler in several rounds. Round one found 3.5 billion active accounts. Round two fetched profile text and pictures. Round three fetched the public keys.
Nothing stopped the scan. No blocks, no warnings, no slowdown. This shows that the method was not only possible but practical.
Real Privacy Issues
The “about” texts sometimes contain personal details. The paper lists examples such as political slogans, religion, sexual identity, and even references to illegal activity. Many users also share their email addresses or links to other social profiles. Profile pictures can reveal faces, workplaces, uniforms, or surroundings.
The researchers downloaded 77 million profile pictures from the US number range. A face detector found faces in about two-thirds of them. With this amount of data, someone could build a reverse lookup service based on faces or phone numbers.
Top 10 Countries Ranked by Number of WhatsApp Accounts. Android, iOS, Picture, About Text, Business, and Companions Refer to Their Share in the Respective Country. (Table 3 in the paper)
Public Data, But at Unlimited Scale
All the information that WhatsApp returns is public by design. A profile picture or “about” text is not hidden. Users choose to share it. The real problem is scale. WhatsApp should not allow billions of checks without limits. The platform treated all lookups the same, even when they came from a single server scanning millions of numbers each hour.
This lack of limits changes what is possible. Instead of checking a few contacts, attackers can look up entire nations. They can repeat scans daily to watch for new accounts, abandoned numbers, or changes in user behavior. With enough data, they can build complete lists of active devices or track churn rates. These insights help plan long-term attacks or fraud campaigns.
The researchers show that nothing stopped them from collecting and processing this information. Ultimately, the primary concern is not that the data exists, but that anyone can gather it endlessly and transform millions of small details into large and powerful datasets.
Encryption Key Problems
Although WhatsApp utilizes end-to-end encryption, the study revealed some weaknesses. Some devices reuse keys, and key reuse can lead to security issues. In some cases, thousands of accounts used the same public key. One group of accounts even used a key created from an all zero private key. This points to broken random number generators or flawed third-party clients.
Old Leaks Remain Relevant
The team also compared their new dataset with the 2021 Facebook data leak. They found that 58 percent of leaked phone numbers are still active on WhatsApp. This illustrates how long leaked data remains useful to scammers or spammers.
Why Does This Matter?
This research demonstrates that WhatsApp’s contact discovery system reveals too much personal information. Even with encryption, attackers can map large parts of the user base. They can link phone numbers to faces, habits, or personal traits. The study highlights the real risks of centralised messaging systems and calls for stronger protections.
At the same time, the technical side of the flaw makes it more serious. Attackers can replicate the study’s method using simple scripts, send thousands of checks per second, and collect profile data, texts, device information, and keys on a massive scale. This allows them to build profiles, track activity, and plan targeted attacks.
SOCRadar’s Advanced Dark Web Monitoring
Security teams need early warning when such data spreads. SOCRadar’s Dark Web Monitoring and Digital Footprint tools help by spotting leaked datasets, exposed numbers, and related metadata. This provides defenders with a faster way to react before attackers can turn large data sets into real threats. See what is exposed.

