WhatsApp Data of 3.5 Billion Users Scraped in Record-Breaking Research Study

Researchers from the University of Vienna have quietly compiled a digital directory so vast it contains the personal details of nearly half the global population. The team claims to have scraped the data of 3.5 billion WhatsApp users, effectively creating a shadow database that rivals the platform's own records. If this massive trove of information had fallen into the wrong hands, the team suggests it would, 'to our knowledge, classify as the largest data leak in history, had it not been collated as part of a responsibly-conducted research study.'

While the data was gathered for academic purposes, the implications are unsettling for privacy advocates. The researchers successfully harvested phone numbers, timestamps, 'about' text, profile pictures, and public keys for E2EE encryption. They warn that a public release of this dataset 'would entail adverse implications to the included users.'

Scraping 100 Million Accounts per Hour Through a Loophole

How did a research team manage to collect such a staggering amount of information? The study relies on the mechanism WhatsApp uses to allow account discovery by inputting phone numbers. The critical oversight, however, was that the platform did not implement explicit rate limits for querying these numbers before the study took place.

This lack of restrictions allowed the Austrian research team to achieve a query rate of 100 million per hour. Through this aggressive method, they were able to 'confirm 3.5 billion phone numbers registered on WhatsApp (exceeding the 'more than 2 billion people' officially stated by WhatsApp).' This massive discrepancy in user numbers highlights just how much data was sitting unprotected, ready to be indexed by anyone with the right script.

Why Public Profile Photos Are a Major Security Blind Spot

The study unearthed a troubling reality regarding user privacy settings and how they are utilised by the general public. It revealed that 57% of WhatsApp numbers featured freely accessible profile photos. Even more concerning for security experts is that two-thirds of those images contained detectable human faces.

The researchers claim this data can be used to build a reverse phonebook based on user images. This capability transforms a simple profile picture into a tool for doxxing or stalking, allowing malicious actors to link a face to a private phone number. While users can restrict these images to contacts only, the default behaviour for many remains public.

Defining the Line Between a Data Breach and a Design Feature

The central question remains: Does this constitute a data breach? In the simplest terms, the researchers were merely using the platform as intended by its owner, Meta. WhatsApp explicitly allows users to input phone numbers to check for valid accounts. Furthermore, the scraped data consists of information that users can voluntarily remove or restrict.

However, the scale of the data collection shifts the conversation. While individual data points are public, the aggregation of billions of profiles creates a database with immense value to advertisers and scammers alike. It exposes the friction between user convenience and platform security.

Meta Responds with New Mitigations and Rate Limits

Meta has responded to the research with a series of defensive measures to prevent future large-scale scraping. The company stated, 'In this study, academic researchers generated a list of phone numbers, checked if they are registered on WhatsApp and compiled basic public information that people have made available to "everyone" in a novel manner that exceeded our intended limits.'

To combat this, Meta has rolled out new mitigations, including 'some of our industry's leading anti-scraping systems we'd been already working on prior to this study.' Specific technical changes include a phone number query rate limit for individual user accounts. However, this limit does not apply to WhatsApp business accounts, 'to help businesses be recognized and build trust with their customers on WhatsApp.'

Additionally, retrieving profile pictures no longer returns a timestamp of when the image was last updated. A 'corner case' on Android clients regarding logouts and phone number changes, which led to the omission of fresh key generation during subsequent account setups, has likewise been addressed.

Ultimately, this serves as a stark reminder for the average user to review their digital footprint. If you wish to keep your details secure, ensure your profile image is set to private. For more details on how these sources conducted the study, you can view the full report.