With more than three billion people opening WhatsApp each day, the app feels like a safe place to talk, share photos, and handle work on the move. Friends trust it. Families depend on it. Businesses run on it. But new academic research shows that the app quietly revealed far more about its users than most people ever expected.<\/p>\n
A team of IT security researchers from the University of Vienna<\/a> and SBA Research discovered that WhatsApp could be used to quietly confirm whether a phone number belonged to a real account, nearly anywhere on Earth. Over five months, from December 2024 through April 2025, they tested billions of possible phone numbers. By April, they had confirmed more than 3.5 billion active accounts across 245 countries. That figure is higher than the company\u2019s own public count.<\/p>\n Messages stayed protected the entire time. End to end encryption held. The problem was not what people said to each other. The weakness lay in the simple fact of knowing who used WhatsApp and what could be learned from that alone.<\/p>\n WhatsApp users wrt. to continent, Android vs. iOS use, and profile picture for 3.5B users. (CREDIT: arXiv) How billions of users were uncovered<\/p>\n WhatsApp offers a tool that checks which contacts in a phone\u2019s address book are already on the app. It is meant to make connecting easy. The researchers used that same feature, but through an open source<\/a> client rather than the official app. This gave them direct access to WhatsApp\u2019s system.<\/p>\n They wrote a program called \u201clibphonegen\u201d to create realistic phone numbers from real numbering plans in 245 countries. That produced more than 63 billion possible numbers. They then asked WhatsApp one basic question about each number: Is this an account?<\/p>\n Using just one server and five registered accounts, they checked about 7,000 numbers per second. WhatsApp never completely shut them down. Their accounts stayed active. Their internet address was not blocked.<\/p>\n \u201cNormally, a system shouldn\u2019t respond to such a high number of requests in such a short time, particularly when originating from a single source,\u201d said lead author Gabriel Gegenhuber of the University of Vienna. \u201cThis behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited requests to the server and, in doing so, map user data worldwide.\u201d<\/p>\n WhatsApp Use per Capita: At 95\u2009% in South America and 80\u2009% in Europe, a majority of citizens have an active WhatsApp account. (CREDIT: arXiv) What public data quietly reveals<\/p>\n Once a number was confirmed, the system returned data that is public by design. That included the phone number, cryptographic public keys, the account\u2019s creation time, and, if shared by the user, profile photos and \u201cabout\u201d messages.<\/p>\n From that, the team could infer even more. They could tell what kind of phone<\/a> a person used, how long their account existed, and whether it was linked to other devices such as laptops or tablets.<\/p>\n This led to the largest known snapshot of a global messaging network. India topped the list with more than 749 million users. Indonesia, Brazil, the United States, and Russia followed. Together, the top ten countries held most of the world\u2019s accounts.<\/p>\n Android phones ruled the platform, making up 81 percent of users. iPhones accounted for the rest. Wealthier regions showed far heavier iPhone<\/a> use.<\/p>\n More than half of all users had a profile photo. Nearly one in three wrote a short bio. About 9 percent labeled themselves as business accounts. Roughly the same number used at least one linked device.<\/p>\n WhatsApp adoption per continent. Percentage shares are calculated by dividing the number of discovered WhatsApp accounts by the respective population size (per capita) of each continent. (CREDIT: arXiv) Accounts where WhatsApp is banned<\/p>\n The study found active users in countries where WhatsApp is officially blocked.<\/p>\n China had more than 2.3 million accounts. Myanmar showed 1.6 million. Iran already counted about 59 million users before a ban was lifted in December 2024. Within three months, that jumped to more than 67 million. Linked device use tripled.<\/p>\n North Korea, with its tight controls, showed only five accounts.<\/p>\n In places where online speech can bring punishment<\/a>, even proof of account ownership can put lives at risk.<\/p>\n Faces, locations, and exposure<\/p>\n Millions of users also shared deeply personal details.<\/p>\n Some posted political opinions. Others included faith symbols, sexual identity, or street slang tied to drugs. Many listed email addresses, social media names, or business links.<\/p>\n Distribution of prekey bundle age across our retrieved data. Over 90\u2009% of users have updated their keys within the past month. Consistent with WhatsApp\u2019s account deletion policy, most accounts with keys older than 120 days have been automatically removed. (CREDIT: arXiv) <\/p>\n Profile photos carried their own danger. The researchers downloaded 77 million images from accounts tied to U.S. numbers alone. Automated scans showed two thirds included clear human faces<\/a>. Others revealed street scenes, homes, or workplaces.<\/p>\n This opens the door to building a reverse phone directory powered by faces. It also makes targeting easier for scammers, stalkers, or hostile governments.<\/p>\n Strange behavior in encryption keys<\/p>\n Messages stayed protected. But the researchers noticed disturbing patterns in how some encryption keys<\/a> were handled.<\/p>\n Each device should have a unique identifier. Instead, 2.3 million keys were reused across almost three million devices. One public key had an even deeper flaw. It belonged to 20 U.S. numbers, and its private key was all zeros.<\/p>\n That points to broken random number creation in some unofficial clients or possible fraud. In rare cases like this, bad actors could pretend to be someone else or secretly add their own devices to accounts.<\/p>\n Old leaks that still matter<\/p>\n