Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy
Gabriel K. Gegenhuber
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Usable Security
Gabriel K. Gegenhuber presents a staggering empirical study: the researchers enumerated **3.5 billion active WhatsApp accounts** -- a substantial share of the world's population -- by querying 63 billion candidate phone numbers in less than one month. WhatsApp's internal APIs had essentially **no rate limiting**, allowing the researchers to crawl 500 million accounts from the 2021 Facebook data leak in just 5 hours and the entire US numbering plan (3 billion mobile numbers) in one day. Beyond presence information, they extracted **operating system data** (80% Android, 20% iOS globally), profile picture availability, profile picture timestamps, and encryption key material -- discovering approximately **3 million accounts** with non-unique public keys, indicative of scammer operations using faulty third-party clients. The study also validated that **58% of phone numbers** from the 2019 Facebook scraping incident remained active over 6 years later. WhatsApp took approximately one year to respond and ultimately deployed rate limiting and cardinality checks in October 2025.
AI review
Enumerating 3.5 billion WhatsApp accounts from a single university server in under a month with zero detection. The sheer scale of the data extraction -- plus the OS fingerprinting via encryption key artifacts, key collision discovery revealing scammer networks, and 58% persistence of the 2019 Facebook leak -- makes this one of the most impactful empirical security studies of the year. The fact that WhatsApp's internal APIs had zero effective rate limiting on a 3-billion-user platform is damning.