A team of researchers based in Austria has identified a major security flaw in WhatsApp that enabled them to amass data from over 3.5 billion accounts, marking it as one of the biggest data breaches in history. The vulnerability stems from a longstanding feature that permits users to search for individuals on WhatsApp by inputting their phone numbers. Leveraging a tool built on Google’s libphonenumber, the researchers generated a staggering 63 billion numbers to cross-reference with the platform’s user database, revealing the presence of approximately 3.5 billion active accounts.
The team conducted their queries at a rapid pace of 7,000 numbers per second per session, without encountering any significant blocking measures or rate limiting. Throughout the process, their IP address and accounts remained unobstructed. Each verified phone number yielded basic profile information from WhatsApp. Shockingly, more than 57% of the active accounts contained profile pictures, with two-thirds showcasing human faces. This discovery raised concerns about the potential creation of a reverse phonebook linking individuals’ images to their phone numbers and identities.
Furthermore, approximately 29% of the accounts included profile text, which the researchers found could expose sensitive information such as sexual orientation, political affiliations, drug usage, and connections to platforms like LinkedIn or Tinder, along with professional email addresses. In certain instances, the team successfully traced numbers back to government and military officials.
The dataset also unveiled millions of active WhatsApp accounts associated with phone numbers from countries where the messaging service is prohibited, including China, Myanmar, and North Korea. Additionally, countries like Iran and Senegal, which have previously enforced temporary bans, were also represented in the findings. The researchers noted the potential risks posed by these accounts in jurisdictions where circumventing such bans could lead to severe consequences.
In analyzing the longevity of leaked data’s relevance, the researchers compared their findings to the Facebook data scraping incident in 2021, which exposed information from 533 million profiles. Surprisingly, around half of the phone numbers from the Facebook breach were still active on WhatsApp.
The researchers emphasized the value of large, validated lists of active phone numbers to cybercriminals, enabling them to conduct spam, phishing, and robocall campaigns with a reliable foundation. They underscored the necessity for enhanced rate limiting and privacy safeguards on messaging platforms in light of the effortless and extensive enumeration demonstrated by this case.