Researchers in Austria exploited a long-standing vulnerability in **WhatsApp** to harvest personal data from over **3.5 billion users**, marking what is described as the **largest data leak in history**. The flaw stemmed from WhatsApp’s phone number lookup feature, which allows users to retrieve details (name, phone number, profile image) by inputting a contact’s number. By automating this process using a custom tool built on **Google’s libphonenumber**, the researchers generated **63 billion phone numbers** and scraped data at a rate of **100 million accounts per hour**.The attack exposed **user identities globally**, including phone numbers, names, and profile pictures—information that could be weaponized for **phishing, spam, or targeted scams**. WhatsApp’s lack of **rate-limiting or blocking mechanisms** enabled the mass enumeration without detection. While no financial or sensitive transactional data was compromised, the scale of the breach poses severe **privacy risks**, undermining trust in the platform’s security. The incident highlights systemic weaknesses in **user data protection** on one of the world’s most widely used messaging apps, with potential downstream effects on **reputation and regulatory scrutiny** for Meta.
Meta cybersecurity rating report: https://www.rankiteo.com/company/meta
"id": "MET4532045112025",
"linkid": "meta",
"type": "Vulnerability",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks: - Attack which causes leak of personal information of customers (only if no ransomware) - Attack by hackers which causes data leak of customer information (only if no ransomware)"{'affected_entities': [{'customers_affected': '3.5 billion+',
'industry': 'technology/social media',
'location': 'global',
'name': 'WhatsApp (Meta Platforms, Inc.)',
'size': '3.5+ billion users',
'type': 'messaging platform'}],
'attack_vector': ['abuse of platform feature',
'lack of rate limiting',
'automated enumeration'],
'data_breach': {'data_exfiltration': ['yes (via automated enumeration)'],
'file_types_exposed': ['metadata (phone numbers, names)',
'images (profile pictures)'],
'number_of_records_exposed': '3.5 billion+',
'personally_identifiable_information': ['phone numbers',
'names'],
'sensitivity_of_data': ['moderate (personally identifiable '
'information: phone numbers, names)'],
'type_of_data_compromised': ['phone numbers',
'user names',
'profile images']},
'description': 'Researchers in Austria exploited a flaw in WhatsApp to gather '
'personal data of over 3.5 billion users by abusing the '
"platform's phone number lookup feature. The feature, which "
'lacks effective rate limiting, allowed the researchers to '
'enumerate user details (phone number, name, and profile '
'image) at a rate of over 100 million accounts per hour using '
'a custom tool built with Google’s libphonenumber. No blocking '
'or rate-limiting mechanisms were encountered during the '
'process.',
'impact': {'brand_reputation_impact': ['potential erosion of user trust',
'perception of weak privacy controls'],
'data_compromised': ['phone numbers',
'user names',
'profile images (where available)'],
'identity_theft_risk': ['increased risk due to exposed phone '
'numbers and associated metadata'],
'systems_affected': ['WhatsApp user database']},
'motivation': ['research purposes',
'demonstration of vulnerability',
'potential for malicious exploitation by third parties'],
'post_incident_analysis': {'root_causes': ['Lack of rate limiting on phone '
'number lookup feature',
'Insufficient protections against '
'automated enumeration',
'Over-reliance on user trust for '
'feature abuse prevention']},
'recommendations': ['Implement strict rate limiting on phone number lookup '
'features',
'Enhance monitoring for automated enumeration attempts',
'Conduct privacy impact assessments for features enabling '
'user data access',
'Proactively notify affected users and regulators',
'Review and strengthen API abuse protections'],
'references': [{'source': 'Connor Jones report (via unspecified '
'publication)'}],
'regulatory_compliance': {'regulations_violated': ['potential violations of '
'GDPR (EU)',
'other global privacy laws '
'(e.g., CCPA, LGPD)']},
'threat_actor': ['researchers (Austria)',
'potential malicious actors leveraging the same method'],
'title': 'Largest Data Leak in History: WhatsApp User Data Enumeration '
'Exploit',
'type': ['data breach', 'privacy violation', 'unauthorized data enumeration'],
'vulnerability_exploited': ['WhatsApp phone number lookup feature',
'absence of effective rate limiting']}