BIGGEST data breach ever - concerning all WhatsApp accounts

The BIGGEST data breach ever - if you use messenger apps, you might be interested!

Researchers from the University of Vienna and SBA Research obtaained the entire WhatsApp directory: 3.5 billion - yes - 3_500_000_000 accounts. This was not a breach of chat content, but of account metadata such as phone numbers, profile information, and public cryptographic keys. Meta received warnings starting in September 2024 and did not act for roughly 12 months until the pressure to public became high.

It is fair to say that all WhatsApp and social media users should familiarise themselves with the risks of using social and messaging apps.

The company Meta did not respond for over a year - this is not a upsi just happening, this is ignoring any data protection policies and any compliance policies ever existed. Companies are subject to comprehensive compliance obligations.

Data were Gathered

The leak exposed multiple categories of account data:

• Phone numbers: all 3.5 billion registered WhatsApp accounts.
• Profile pictures: 57% of users had public images; for +1 (North America), millions of pictures (Terrabytes) were downloaded for the study.
• Info fields: ~30% of users filled these in, often with sensitive data (political views, sexual orientation, drug use, workplace, links to Tinder/OnlyFans).
• Public keys: all accounts; 2.3 million keys appeared duplicated across devices. Thisis interesting from a key management perspective.
• Timestamps: last changes to profile pictures and info fields.
• Device counts: up to 5 devices per account, with IDs revealing stability or churn.

Actual Numbers

Some of the insights are the as follows

• 3.5 billion accounts = (almost) the entire WhatsApp user base.
• 750 million users in India, with 62% showing visible profile pictures.
• 2.3 million active accounts in China despite a ban.
• 60 million accounts in Iran.
• 1.6 million accounts in Myanmar
• 5 accounts in North Korea.
• Half a million profile pictures sampled → 2/3 contained human faces.
• 2 invalid signatures out of 3.5 billion keys (rare).
• 2.3 million reused keys leading to potential identity compromise.

Response Delay

Warnings began in September 2024. Meta acknowledged receipt but did not act for ~12 months. Only after researchers prepared publication did Meta classify the activity as “scraping” and claim deletion of data.

Missed Monitoring and Protection

This wasn’t a “hack”, but rather an enumeration exploit that abuses WhatsApp’s own contact discovery API. Think of it as a reverse phone book with cryptographic metadata attached. The issues are

• No rate limiting allows enumeration and testing at >100 million accounts/hour and Contact discovery flaw allowed systematic queries of number ranges.
• Key management allowed reusing keys when numbers or devices changed.
• Profile visibility defaults expose exposed pictures globally (57% of users).
• Field misuse due to a lack of moderation or warning for sensitive disclosures.

Users are realising now how sensitive account and meta information is, and how easily an attack could occur. These weaknesses may have been exploited for years. The question remains as to whether any investigations will be carried out, and how companies will enforce data and privacy policies. What do you think?

References

• IBTimes: WhatsApp data of 3.5 billion users fetched
• SecurityWeek: Vulnerability allowed scraping of 3.5 billion accounts
• Heise Online: Complete WhatsApp directory retrieved
• WioNews: Researchers scrape 3.5 bn phone numbers linked to WhatsApp accounts, can be used to create ‘reverse phone-book’
• The Register: Researchers claim ‘largest leak ever’ after uncovering WhatsApp enumeration flaw