The research team behind this study performed the largest WhatsApp data scrape ever recorded. They did not hack WhatsApp and they did not break encryption. They simply enumerated massive ranges of phone numbers and recorded whatever public profile data WhatsApp reveals by default. This included profile photos, about texts, timestamps and account presence metadata across billions of numbers.
The entire scrape was possible because WhatsApp is built around real phone numbers. When a messaging platform treats a phone number as an identity, anyone with enough resources can scan entire regions and map who exists on the service. The researchers showed that WhatsApp effectively functions as a global directory tied to names, faces and phone numbers, accessible to anyone who knows how to automate the checks.
The study was conducted ethically, but the method is not limited to academics. A state actor, data broker or criminal group could reproduce the same scrape at larger scale and weaponise it for targeted scams, profiling or mass surveillance. The researchers disclosed the issue responsibly, but the underlying weakness remains. Phone number based identity cannot be secured against bulk harvesting.
Blackout VPN exists because privacy should not hinge on blind trust. If a phone number identifies you, it can be scraped.
Keep learning
FAQ
Was WhatsApp hacked
No. Researchers used WhatsApp’s contact discovery feature to scrape public profile data at scale.
What data did the researchers collect
Phone numbers, profile photos, about texts, timestamps and other public presence metadata.
Does encryption prevent this
No. Encryption protects messages, not the public profile data tied to phone numbers.
Why is this possible
WhatsApp relies on phone numbers as identities. Those numbers can be enumerated at scale.
How do I reduce risk
Use messaging apps that do not require real phone numbers and expose less public metadata.