WhatsApp Enumeration Flaw Exposes Billions of User Phone Numbers
Researchers have discovered that WhatsApp's phone number discovery feature allows for mass enumeration of user phone numbers, exposing the personal information of up to 3.5 billion users. By automating the process of checking which numbers are registered on WhatsApp, attackers can compile extensive lists of active users, potentially leading to privacy violations, targeted phishing, and other malicious activities. This vulnerability, which was first warned about eight years ago, remains unmitigated, raising significant concerns about the platform's approach to user data protection.
The issue has gained renewed attention after a team from the University of Vienna demonstrated the scale of the exposure, calling it "the most extensive exposure of phone numbers" ever seen. Security experts warn that the lack of effective rate limiting or other technical safeguards enables this enumeration attack, and the incident has been widely reported in security news outlets and discussed in industry podcasts. The exposure underscores the ongoing risks associated with user enumeration flaws in major messaging platforms and the need for stronger privacy controls.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Story first reported
Initial story creation
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


