Austrian researchers allege that a vulnerability in WhatsApp enabled them to gather data from over 3.5 billion accounts, which they characterise as the most significant data breach in history, according to Wire.
The problem stems from a persistent feature that allows users to locate other individuals on WhatsApp by entering their phone numbers. The researchers generated 63 billion numbers using a technique derived from Google’s libphonenumber to verify their registration on the site and obtain related information.
Their analysis indicates that they queried WhatsApp at around 7,000 numbers per second every session, verifying around 3.5 billion active accounts. They reported experiencing no significant blocking or rate limitation, and confirmed that their IP address and accounts remained unrestricted throughout the procedure.
WhatsApp provided fundamental profile information for each verified number. Over 57% of active accounts in the sample featured a profile image, two-thirds of which included a human face. The researchers caution that this could facilitate the creation of a reverse phonebook, linking an individual’s appearance to their phone number and identity.
Approximately 29% of accounts contained profile content. The study indicates that this content, frequently regarded as inconsequential, can reveal sensitive information, such as sexual orientation, political beliefs, substance use, connections to other platforms like LinkedIn or Tinder, and professional email addresses. In certain instances, the team reported the ability to associate numbers with government and military figures.
The dataset included millions of active WhatsApp accounts linked to numbers from nations where the service is prohibited, such as China, Myanmar, and North Korea. Other countries, including Iran and Senegal, have previously enacted temporary prohibitions. In locations where users may be penalised for evading such limitations, the presence of these accounts could entail heightened risk.
The researchers investigated the duration for which leaked data retains its utility. Compared with the 2021 Facebook scraping event, which revealed information from 533 million profiles, it was determined that almost 50% of those phone numbers were active on WhatsApp.
They caution that extensive, verified compilations of active numbers are advantageous to hackers, serving as a dependable foundation for spam, phishing, and robocall operations. They contend that the simplicity and scale of the enumeration in this instance underscore the need for enhanced rate limits and privacy safeguards for messaging services.
