🇬🇧 WhatsApp changes skin, but privacy stays naked

When a messaging app has 3.5 billion active accounts (out of 8 billion “terrans” – too many), it’s no longer “just” an app: it’s planetary infrastructure. Today, WhatsApp carries a massive share of private and professional communication worldwide (and a lot of scam, but that’s for another piece).

In the last few months, two things collided:

  • a research paper from the University of Vienna showing how easy it was to enumerate basically all WhatsApp accounts starting from phone numbers (paper)
  • WhatsApp’s decision to push usernames instead of phone numbers in interactions, marketed partly as a response to scraping and data exposure (coverage)

Let’s put them together, numbers in hand, and see what really changes “before and after” usernames.

 

The “Hey there! You are using WhatsApp” study

The paper “Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy” is authored by a research team from the University of Vienna and SBA Research.

Brutal summary: by abusing the way WhatsApp does contact discovery (matching your address book against its global user database), the researchers:

  • generated 63 billion “plausible” phone numbers across 245 countries
  • queried WhatsApp’s infrastructure via XMPP, not the app UI
  • identified 3,546,479,731 distinct accounts (3.5+ billion) globally

And it wasn’t just “number exists / doesn’t exist”. For a huge share of those accounts, WhatsApp returned metadata:

  • >57% of users had a public profile picture
  • at least 29% exposed an “about” status
  • around 9% of accounts were marked as business

In that public “about” field they found, among other things:

  • political, religious and sexual identity statements
  • references to drug use or sales
  • links to other profiles (LinkedIn, Instagram, Tinder, OnlyFans, …)
  • email addresses, including those of government and military organizations

Net result: a potential dataset on a scale we’ve never seen before (let’s repeat that calmly: 3.5 billion numbers, profiles and cryptographic keys) which, in the wrong hands, would make almost any “classic data breach” look small.

 

This isn’t theory: sensitive countries and old leaks that never die

1. Countries where WhatsApp is (or was) banned

By the end of 2024 WhatsApp was officially banned in China, Iran, Myanmar and North Korea. Despite that, the researchers found:

  • around 2.3 million Chinese numbers
  • around 1.6 million accounts in Myanmar
  • around 59 million active accounts in Iran (almost two-thirds of its 90.1M population)
  • 5 numbers using North Korean numbering

In these contexts, the simple fact that a number is seen as a WhatsApp user can have political and personal safety implications.

2. Connection to the 2019/2021 Facebook leak (yes, that one)

The authors cross-referenced their dataset with the infamous Facebook leak (about 488 million scraped phone numbers):

  • 58% of those numbers were still active on WhatsApp at the time of analysis
  • in countries like Egypt, Italy, Saudi Arabia, around 40% of current WhatsApp numbers also appeared in the leak

Translated into OSINT terms: once a number is “out”, it stays useful for years for phishing, spam, targeted social engineering and political or commercial profiling.

 

The hardcore part: speed and depth of enumeration

One detail that makes security engineers twitch is the speed of the enumeration:

  • the researchers were able to query over 100 million numbers per hour without hitting effective rate limits
  • in their report to Meta they explicitly state a speed of 25 million numbers per hour per session

We’re not talking about a “slightly aggressive scan” here, but the ability, for an attacker with moderate resources, to:

  • run a worldwide census of WhatsApp users
  • enrich it with profile pictures, about texts, business flag, public keys and activity timestamps
  • use it as a “master index” to merge with other leaks (Facebook, marketing databases, data brokers, government datasets)

It’s the erotic dream of any OSINT analyst and of any threat actor (especially state-sponsored) with a taste for surveillance – and not just them.

 

WhatsApp’s answer: “this is not a security vulnerability”

After initially classifying the report as “not applicable”, from September 2025 onward WhatsApp cooperated with the researchers and rolled out countermeasures, confirmed as active in early October 2025.

Main measures:

  • Cardinality counters and advanced rate limiting
    WhatsApp added counters tracking how many distinct accounts a client queries, and feeds those into machine learning models to tell normal usage from systematic scraping, applying much stricter limits to the latter.
  • Restrictions on data visibility
    Even if set to “everyone”, the number of new profiles and about texts a single account can query is now limited, to make mass crawling impractical. Business profiles are partially exempt for commercial discoverability reasons.
  • Removal of profile-picture timestamps
    Previously, each profile picture was served with a timestamp, allowing an attacker to estimate how long an account had been active or unchanged. That information is now gone.
  • Fixes for cryptographic key reuse
    Some Android-side bugs caused X25519 key reuse between accounts or after number changes – fixed in WhatsApp 2.25.26.11 and later.

In the updated paper, WhatsApp:

  • thanks the bug bounty community
  • insists this does not demonstrate a “security vulnerability” in the strict sense
  • states they have no evidence of abusive mass scraping using this technique

Let’s be cold about it:

  • can we really say this isn’t a vulnerability?
    From a protocol design standpoint, a system based on phone numbers + contact discovery is inherently exposed to enumeration. It’s not a buffer overflow; it’s a structural risk, a property of the design.
  • “no evidence of mass scraping” ≠ “no abuse”
    It only means they haven’t (yet) found clear patterns in the logs. By definition, a serious attacker exploiting a weakness for years tries very hard to not look like a serious attacker.

 

Enter the new model: from SIMs to usernames

In parallel, WhatsApp is rolling out a paradigm shift: the ability to use usernames (with options like “Username”, “Phone number”, “Username with PIN”) to be reached and chat while hiding your phone number (coverage).

The idea is that this should:

  • reduce phone number exposure (true)
  • make it harder to link a WhatsApp account to a real person by brute-forcing numbers and scraping (also true)

…but how much does it really change risk?

 

Before and after: phone-number-only vs username model

Before (phone only) After (usernames optional)
Primary identifier Phone number required for any contact Phone for registration; username for discovery and interactions
Contact discovery Address book ↔ WhatsApp DB, entirely number-based Backend still runs on numbers; user can expose only username in new interactions
Global-scale enumeration Technically feasible via API, as shown by the study; now mitigated by rate limits and cardinality counters Structural risk on the server side remains, but reproducing the original attack is harder
Number exposure to new contacts Every new chat reveals the number You can keep the number private, using username + PIN for strangers
OSINT & data fusion Phone number = extremely strong pivot across leaks, brokers, public records Username reduces number spread but becomes a new cross-platform pivot (Telegram, Instagram, GitHub, etc.)

In plain language: usernames don’t fix the structural problem of a WhatsApp architecture built around phone numbers, but they:

  • reduce additional exposure of numbers in future interactions
  • move part of the game from “phone network identity” to “online identity” (handles, nicknames)

 

What this means for OSINT – and for people who don’t want to be profiled

1. The phone number is still the golden key

If an attacker already has your number (because you shared it, it’s in an old leak, it’s on your website, or you kindly filmed it on your boarding pass on TikTok), they can still:

  • check if it’s on WhatsApp
  • extract whatever residual metadata is available within the new limits
  • cross-reference it with older leaks (like the Facebook one, with its 58% still active)

2. The username becomes a new correlation hook

Users and companies love reusing the same handle across platforms. A visible WhatsApp username can often be:

  • linked to accounts on Telegram, X, Instagram, GitHub, TikTok, …
  • correlated with domains, emails, code repos, CVs and more

For an OSINT analyst this is pure gold. For a careless user, it’s yet another horizontal tracking path.

3. Reduced friction for “sensitive” use cases

On the positive side, being able to chat using a handle instead of your phone number is a real advantage for activists, journalists, high-risk professionals who today rely on burner SIMs and secondary numbers.

But that advantage is real only if:

  • the number hasn’t already spread everywhere
  • internal privacy settings (photo, about, last seen, etc.) are locked down or disabled

 

WhatsApp is not “broken” – but the model is fragile

Purely technically, WhatsApp is right on one point: messages remain end-to-end encrypted; nobody has shown practical decryption via server-side key theft.

The problem isn’t the cipher; it’s everything around it:

  • global enumeration of accounts tied to phone numbers
  • rich metadata (photo, about, timestamps, business, public keys) linked to those accounts
  • persistence: more than half the numbers in an old scraping campaign are still valid years later

The push toward usernames is an attempt to:

  • contain future exposure of phone numbers
  • make global-scale enumeration attacks more expensive and noisy
  • show regulators and media that “something is being done” about scraping

It’s not a magic wand. It’s a bandage on an infrastructure born in an era when using phone numbers as digital identity seemed like a good idea.

 

What a user can realistically do

Right now, the most effective actions don’t involve the new username feature, but boring basics:

  • set profile photo and about to “Contacts only” or “Nobody”
  • don’t put in the about:
    • political, religious, health, sexual information
    • direct links to other social accounts or OnlyFans, etc.
    • work email, especially if governmental / military
  • for companies: treat Business accounts as deliberately visible assets and assume they will be profiled
  • for high-risk roles (politics, defense, activism, etc.):
    • use dedicated numbers
    • combine usernames with maximum privacy settings
    • consider tools where the phone number is not the primary identifier and the profile itself is encrypted (e.g. Signal profile key)

 

From “phone number = identity” to a (maybe) more mature model

The Vienna research reminds us of a simple thing: if you use a phone number as the primary key for 3.5 billion people, enumeration is not a bug, it’s a property of the system.

WhatsApp’s introduction of usernames is a step in the right direction to reduce the marginal exposure of numbers and make mass scraping harder, but it:

  • doesn’t erase the history of already exposed numbers
  • doesn’t remove the phone number from the backbone of the system
  • creates a new correlation surface through reused handles

Anyone working in security, privacy, OSINT or marketing should read these studies not as “tech drama” but as x-rays of the platforms we’re sitting on. The move from numbers to usernames is an evolution, not redemption: the game shifts level, it doesn’t disappear.

* never upload your contacts: WhatsApp, Telegram, TikTok and any other app that asks for it.

 

🇮🇹 WhatsApp cambia pelle, ma la privacy resta nuda

Quando un’app di messaggistica ha 3.5 miliardi (su un totale di 8 miliardi di “terran” – troppi) di account attivi non è più “solo” un’app: è un’infrastruttura planetaria. Oggi WhatsApp regge una fetta enorme della comunicazione privata e professionale (pure scam, ma questo lo lasciamo per un altro contenuto) nel mondo.

Negli ultimi mesi due cose si sono incrociate:

  • una ricerca dell’UniversitĂ  di Vienna che ha dimostrato quanto sia stato facile enumerare praticamente tutti gli account WhatsApp partendo dai numeri di telefono (paper)
  • la decisione di WhatsApp di spingere verso l’uso di username al posto del numero nelle interazioni (fonte)

Mettiamole insieme, numeri alla mano, e vediamo cosa succede davvero “prima e dopo” gli username.

 

Lo studio “Hey there! You are using WhatsApp”

Il paper “Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy” è firmato da un gruppo dell’Università di Vienna e SBA Research.

Riassunto secco: sfruttando il meccanismo di contact discovery, i ricercatori hanno:

  • generato 63 miliardi di numeri di telefono plausibili
  • interrogato WhatsApp via XMPP
  • scoperto 3.546.479.731 account reali

Per una parte enorme degli account, WhatsApp restituiva anche metadati pubblici:

  • >57% degli utenti aveva una foto profilo pubblica
  • 29% esponeva un “about”
  • 9% mostrava flag “business”

E nei “about” pubblici comparivano:

  • orientamento politico, religioso, sessuale
  • riferimenti a sostanze
  • link a profili esterni
  • email governative o militari

Il risultato: un dataset enorme che, in mani sbagliate, sarebbe un leak mai visto prima.

 

Numeri da paesi sensibili e vecchi leak che non muoiono mai

1. Paesi dove WhatsApp è (o era) vietato

Alla fine del 2024 WhatsApp risultava bannato in Cina, Iran, Myanmar, Corea del Nord. Eppure:

  • 2.3M numeri cinesi
  • 1.6M account in Myanmar
  • 59M account in Iran
  • 5 numeri nordcoreani

In quei contesti, il fatto stesso di avere WhatsApp attivo ha conseguenze politiche e di sicurezza.

2. Connessione con il leak Facebook 2019/2021

Incrociando i dati con il leak FB (488M numeri):

  • 58% di quei numeri è ancora attivo su WhatsApp
  • in Italia, Egitto, Arabia Saudita ≈ 40% dell’attuale utenza WhatsApp è anche nel leak

In OSINT significa: un numero pubblico resta utile per anni.

 

La parte “hardcore”: enumerazione ultraveloce

I ricercatori hanno raggiunto velocitĂ  assurde:

  • 100M numeri/ora senza rate limit seri
  • 25M numeri/ora/sessione riportati direttamente a Meta

Questo abilita:

  • censimento planetario dell’utenza
  • raccolta metadati (foto/about/business/key)
  • fusione con vecchi leak

 

La risposta di WhatsApp

WhatsApp ha negato che si tratti di una “falla”, ma ha introdotto contromisure:

  • cardinality counters + rate limit con ML
  • restrizioni su visibilitĂ  di foto/about
  • rimozione timestamp dalle foto profilo
  • fix su riuso chiavi X25519

“Nessuna evidenza di scraping abusivo” significa solo “non l’abbiamo visto nei log”.

 

Arrivano gli username

WhatsApp introduce gli username come alternativa al numero (fonte):

  • meno esposizione del numero
  • interazioni piĂš riservate

Ma quanto cambia davvero?

 

Prima vs dopo: confronto

Prima Dopo
Identificatore Numero di telefono Numero per registrazione, username per l’interazione
Enumerazione Possibile su scala globale Mitigata, ma rischio strutturale resta
Esposizione numero Sempre mostrato Opzionale
OSINT Numero = pivot fortissimo Username = nuovo pivot cross-platform

 

Cosa cambia per l’OSINT

1. Il numero resta la chiave d’oro

Se è già noto, continua a funzionare per:

  • verifica account
  • profilazione
  • incrocio con leak passati

2. Lo username apre nuovi collegamenti

Gli utenti riutilizzano spesso lo stesso handle su piÚ piattaforme: ottimo per chi indaga, pessimo per chi è disattento.

3. Migliora la privacy “operativa”

Per attivisti, giornalisti, whistleblower l’username è un enorme passo avanti.

 

WhatsApp non è “bucato”, ma il modello è fragile

La cifratura va bene; il problema è tutto ciò che gira intorno:

  • numero = identitĂ 
  • metadati pubblici
  • persistenza dei dati esposti

 

Cosa può fare un utente

  • limitare foto profilo e about a “contatti”
  • evitare info sensibili negli about
  • usare numeri dedicati per ruoli critici
  • valutare alternative come Signal per profili ad alto rischio

 

Lo studio di Vienna mostra una cosa semplice: se usi il numero come identità per 3.5 miliardi di persone, l’enumerazione non è un bug — è una proprietà del sistema.

Gli username sono un miglioramento, ma:

  • non cancellano ciò che è giĂ  stato esposto
  • non rimuovono il numero dal backend
  • introducono un nuovo asse di correlazione

Il gioco cambia livello, non scompare.

* mai fare upload dei contatti: WhatsApp, Telegram, TikTok e qualsiasi altra app che chieda di farlo.