Ethical Hacking News
WhatsApp's massive data breach raises significant concerns for user privacy and security. Researchers successfully gathered personal information from over 3.5 billion users through an enumeration flaw in the app's design, highlighting the need for improved security measures to prevent such breaches in the future.
The WhatsApp messaging platform has been exposed to a massive data breach, with over 3.5 billion users' personal information gathered. Austrian researchers used a tool to generate phone numbers and enumerate user data, including phone number, name, and profile image, without encountering blocking or effective rate limiting. WhatsApp's security measures may not be sufficient to prevent such breaches in the future, as the platform allowed enumeration on this scale without issue. A significant portion of enumerated users had a profile picture with detectable human faces, which could be used to build a reverse phonebook. The breach has raised concerns about the potential for abuse, particularly in countries where WhatsApp is banned, such as China and North Korea. Researchers have highlighted the importance of vigilance and proactive measures to prevent data breaches, particularly with widely-used messaging platforms like WhatsApp.
The WhatsApp messaging platform has been exposed to a massive data breach, with researchers successfully gathering the personal information of over 3.5 billion users through an enumeration flaw in the app's design.
In a shocking revelation, two researchers from Austria used a tool built using the underlying technology of Google's libphonenumber to generate 63 billion phone numbers and then plugged them into WhatsApp's look-up feature. This allowed them to enumerate user data, including phone number, name, and in some cases their profile image if they had one set.
The researchers were able to gather user details at a rate of over 100 million accounts per hour without encountering blocking or effective rate limiting, despite the platform's usual reliance on rate limiting to prevent abuse. This suggests that WhatsApp's current security measures may not be sufficient to prevent such breaches in the future.
In typical settings, platforms would rely on rate limiting to prevent this kind of abuse, but WhatsApp still allowed enumeration on this scale without issue. The researchers found that more than 57 percent of the active accounts they enumerated had a profile picture, two-thirds of which contained detectable human faces. This could be used to build a reverse phonebook where a person's image reveals other details about them.
Furthermore, several countries ban WhatsApp, with notable examples including China, Myanmar, and North Korea. However, millions of active WhatsApp accounts were associated with phone numbers registered in these countries, revealing consistent data that is consistent with WhatsApp boss Will Cathcart's previous admission.
Countries such as China are known for persecuting people for breaking rules, such as circumventing bans on WhatsApp and other platforms. The consequences can reportedly include detention and being sent to re-education camps.
The researchers also found that large-scale databases of registered phone numbers can be misused by attackers, including spam, phishing, or robocall attacks. They noted that the potential for abuse is particularly concerning given the fact that a registered number typically indicates an active device.
In terms of longevity, the data collected from the study was still valid among half of the 3.5 billion records gathered, raising questions about how long this information remains open to abuse.
The news has sent shockwaves through the cybersecurity community, with researchers and security experts weighing in on the implications of this breach.
Researchers at Meta have been working on anti-scraping systems, which were confirmed to be effective in preventing similar breaches. However, some have pointed out that the disclosure timeline for the study was nearly a year long, suggesting that the company may not have had adequate time to address the issue before publication.
In response to this criticism, WhatsApp's former security boss claimed that reporting informationsec failings led to their ousting. The tech giant did not provide further details on the efficacy or existence of additional security measures following the researchers' submission in its response.
Gathering more information about this breach highlights the importance of vigilance and proactive measures to prevent data breaches, particularly when it comes to messaging platforms like WhatsApp that are widely used by millions of people around the world.
Related Information:
https://www.ethicalhackingnews.com/articles/WhatsApps-Data-Breach-A-Massive-Enumeration-Flaw-Exposed-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/19/whatsapp_enumeration_flaw/
https://www.wired.com/story/a-simple-whatsapp-security-flaw-exposed-billions-phone-numbers/
https://9to5mac.com/2025/11/18/whatsapp-security-flaw-exposed-3-5b-phone-numbers-including-yours/
Published: Wed Nov 19 07:25:17 2025 by llama3.2 3B Q4_K_M
