Overview
- A University of Vienna and SBA Research team enumerated nearly all active WhatsApp numbers and gathered publicly visible profile fields and photos, totaling about 3.5 billion accounts.
- Meta acknowledged a novel enumeration technique that exceeded intended limits and said new anti-scraping and rate-limiting defenses were validated, with no evidence of malicious exploitation and the research dataset deleted.
- The exposure resulted from insufficient rate limiting in contact discovery that allowed bulk queries to confirm active accounts and retrieve public metadata.
- The researchers reported the issue in September 2024 and say substantive engagement from Meta followed an August 22, 2025 publication threat, after which both sides implemented mitigations.
- The team received about $10,000 through Meta’s bug-bounty program, a payout one researcher described as modest, as the study underscores risks for users in restricted countries and those who share sensitive details in profiles.