IT-Security Researchers from the University of Vienna and SBA Research identified and responsibly disclosed a large-scale privacy weakness in WhatsApp’s contact discovery mechanism that allowed the enumeration of 3.5 billion accounts. In collaboration with the researchers, Meta has since addressed and mitigated the issue. The study underscores the importance of continuous, independent security research on widely used communication platforms and highlights the risks associated with the centralization of instant messaging services. The preprint of the study has now been published, and the results will be presented in 2026 at the Network and Distributed System Security (NDSS) Symposium.
What I find odd here is that I predicted exactly this problem back when WhatsApp first started using the protocol. I encouraged people to use Signal instead of WhatsApp because WhatsApp moved discovery outside the security model, where it would just require one “mistake” and all that data could be harvested. Plus, of course, once Meta bought them, they had unfettered access to this data.