Billions of WhatsApp accounts worldwide can be identified, mapped and analyzed through large-scale enumeration attacks that exploit weaknesses in the platform’s contact discovery mechanism, according to a new study that raises urgent concerns over user privacy, digital profiling, and surveillance risks affecting populations in every region. The research demonstrates that attackers with moderate resources could replicate the technique, enabling them to harvest sensitive metadata from more than three billion users without needing direct access or consent.

The study, titled Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and PrivacyEnumerating Three Billion Accounts for Security and Privacy and published on arXiv, reveals weaknesses in the platform that allowed the collection of highly sensitive account attributes at unprecedented scale.

Billions of active WhatsApp accounts identified in global-scale enumeration attack

The research team found that WhatsApp’s contact discovery service, designed to help users find contacts already on the platform, could be abused to check whether any phone number in the world is associated with an active account. By reverse-engineering WhatsApp’s underlying XMPP protocol, the researchers built a system to send massive volumes of lookup queries at high speed.

Their approach started by generating a global universe of possible mobile numbers. Using a custom tool that expands international numbering plans for 245 countries, they produced a set of roughly 63 billion candidate numbers. Each candidate number was automatically queried through the WhatsApp service, allowing the system to determine whether it corresponds to a registered account.

The enumeration rate averaged around seven thousand checked numbers per second per session. Through parallelization, the researchers confirmed approximately 3.5 billion active WhatsApp accounts, a figure that aligns with WhatsApp’s scale and demonstrates how easily attackers could replicate the census.

The dataset obtained through enumeration includes far more than account existence. The researchers gathered profile photos, status texts, business account flags, timestamps, device indicators and public encryption keys for millions of users. This metadata, available without authentication or user interaction, exposes individuals to large-scale profiling, targeted phishing, doxxing, stalking and cross-platform deanonymization.

The global map that emerges from the study shows that WhatsApp penetration is extremely high in Latin America, Europe, Africa and South Asia, while significantly lower in markets dominated by domestic messaging apps such as Japan or South Korea. Even in regions where WhatsApp faced bans or restrictions during the study period, China, Iran, Myanmar or North Korea, the system detected millions of active accounts, raising serious implications for user safety under restrictive regimes.

Massive cryptographic key reuse and risky metadata leaks

The paper uncovers troubling weaknesses in WhatsApp’s cryptographic ecosystem. WhatsApp relies on the Signal protocol for end-to-end encryption, meaning each account publishes several public keys as part of its prekey bundle. The researchers collected billions of these publicly exposed keys during enumeration and analyzed them for anomalies.

Their analysis revealed widespread and unexpected key reuse across devices. More than two million distinct public keys were found to appear repeatedly, sometimes associated with entirely different phone numbers or devices. Thousands of single-use prekeys, meant to be consumed once and replaced, were also found reused across multiple accounts. This behavior contradicts the assumptions of the Signal protocol and may indicate flawed random number generation or defective third-party implementations.

In one instance, the researchers extracted an all-zero private key corresponding to a public key seen across thousands of devices. An all-zero private key cannot be securely generated by a standards-compliant cryptographic library, suggesting a severe defect in software used by certain devices or app variants. The authors warn that such issues undermine the integrity of end-to-end encryption and could expose users to interception risks.

The cryptographic dataset also provided insight into global device distributions. By analyzing prekey identifiers, the team inferred that approximately 81 percent of WhatsApp devices use Android and roughly 19 percent use iOS. The age and rotation patterns of keys further reveal device longevity, activity cycles and geographic usage patterns.

The metadata collected from WhatsApp user profiles also raises safety concerns. Many users publish photos that expose their faces, workplaces, or family members. Status messages often include political, religious, or personal information that can be exploited for social engineering. In some regions, the researchers found clusters of accounts with behavior consistent with organized scam operations, identifiable through repeated reuse of unique key materials.

The team also cross-referenced its dataset with the 2021 Facebook phone-number leak and discovered that more than half of those leaked numbers remain active on WhatsApp. This finding shows that once exposed, phone numbers remain valuable to attackers for years and can be exploited for targeted scams and identity attacks.

Study pressures WhatsApp toward security improvements, but risks remain widespread

The authors detail a lengthy disclosure process in which they privately reported their findings to WhatsApp and Meta. After months of communication, WhatsApp deployed several protective measures in late 2025. These included tightening profile data access, removing unnecessary timestamps, hardening client-side key refresh logic, and deploying cardinality-based anti-scraping techniques.

Despite these changes, the findings highlight a fundamental vulnerability: phone-number–based messaging platforms make enumeration trivial unless they adopt privacy-preserving contact discovery mechanisms such as Private Set Intersection (PSI). Without cryptographic protections, malicious actors can replicate this study’s enumeration with only modest resources.

The paper’s authors highlight additional systemic risks. Once enumeration is possible, entire populations can be mapped, including dissidents, journalists, minority groups, or individuals in conflict zones. In countries where WhatsApp is restricted, enumeration could reveal which users continue to rely on banned communication tools, potentially exposing them to state surveillance.

The research also identifies inconsistencies between WhatsApp clients across platforms. Android and iOS variants handle key generation and refresh differently, creating detectable patterns that can be exploited for device fingerprinting. Such discrepancies also open subtle channels for attackers to infer user characteristics or target platform-specific weaknesses.

The authors call for thorough standardization of client implementations, encrypted profile metadata, and strict enforcement of rate limiting. They argue that platforms of WhatsApp’s scale carry an obligation to deploy cryptographically secure approaches to discovery, identity protection, and metadata minimization.

While WhatsApp’s recent patches address specific weaknesses, the study concludes that deeper architectural changes are necessary to protect billions of users. The authors warn that as long as contact discovery relies on unprotected phone-number matching, large-scale enumeration attacks will remain feasible.