Khaberni - Researchers in cybersecurity from the University of Vienna in Austria revealed that a flaw in the instant messaging application "WhatsApp" led to the data breach of 3.5 billion accounts.
The researchers explained in a security report published on the university's website, in cooperation with SBA Research, that the "contact discovery mechanism" within the app caused the leakage of billions of data, confirming that the "Meta" company addressed the flaw after the team reported it.
The "contact discovery mechanism" in "WhatsApp" relies on using users' address books to find other users through their phone numbers.
The researchers said that they used the same mechanism to perform a vast number of queries exceeding 100 million phone numbers per hour through WhatsApp's infrastructure, which allowed them to confirm the existence and access the data of more than 3.5 billion active accounts in 245 countries.
The lead author of the report, Gabriel Guggenhuber from the University of Vienna, said: "No system should respond to an enormous number of requests in a short time, especially when it comes from a single source. This behavior revealed the fundamental flaw that allowed us to send limited requests to the server, thereby mapping user data around the world."
The data accessible through the flaw includes the same information available to any user who knows another user's phone number. It includes: phone number, public keys, timestamps, status text, and profile picture.
From this data, researchers were able to identify the user’s operating system, the age of the account, and the number of devices linked to it.
They confirmed that this data, although limited, enabled them to uncover patterns of users on both individual and collective levels.
The study also revealed the presence of millions of active accounts in countries where the service is officially banned, such as China, Iran, and Myanmar.
The report also showed that 81 percent of "WhatsApp" users use "Android" phones, while 19 percent use "iOS" phones.
After discovering the flaw, the researchers contacted the parent company, which managed to close the flaw.
The researchers said that the experiment did not include any attempts to access messages, and that they did not publish or share any personal data, confirming that they deleted all the data they collected before publishing the study.
The full report is scheduled to be presented during the 2026 Seminar on Network Security and Distributed Systems.
