WhatsApp Users at Risk: Study Shows How Public Data and Profile Images Were Scraped at Large Scale in India
Security researchers have raised serious concerns after discovering that over 3.5 billion active WhatsApp accounts could be linked to scraped phone numbers—a massive dataset that includes nearly 750 million users in India alone. This alarming revelation highlights the growing WhatsApp data scraping issue , especially in a country where WhatsApp dominates digital communication.
Along with the phone numbers, researchers say they could also extract publicly visible WhatsApp profile photos of 62 per cent (46.5 crore) Indian users, plus information like the ‘About’ text, business account details, and companion-device usage. These details deepen the scale of the WhatsApp profile photo leak , showing how exposed user metadata becomes when privacy settings aren’t restrictive.
The findings are from a fresh research paper by computer scientists at the University of Vienna, who explained how they compiled this massive dataset by exploiting the platform’s contact-discovery feature. Their study sheds light on a critical WhatsApp contact discovery vulnerability , which allowed automated systems to verify numbers and extract public data at unprecedented scale.
For most users, simply saving a mobile number is enough to know whether someone is on WhatsApp. If privacy settings are open, profile photos and names also appear. While the feature feels convenient, researchers warn that this simplicity fuels significant WhatsApp privacy risks , especially when paired with automated tools.
The study shows how the contact-discovery feature can be misused through advanced methods leveraging WhatsApp’s XMPP endpoints, enabling mass-scale harvesting of user information. This is where the WhatsApp security research findings become especially troubling: of the 3.5 billion active accounts identified, 57 per cent had publicly visible profile photos, and in Brazil, 61 per cent of 206 million numbers revealed images.
Rate-limiting is typically used to prevent such abuse, but researchers claim WhatsApp did not restrict the speed of contact-discovery queries—particularly through the browser-based app. “In our study, we were able to probe over a hundred million phone numbers per hour without encountering blocking or effective rate limiting,” the paper states. This adds another layer to the WhatsApp contact discovery vulnerability, showing how easily automation can bypass safeguards.
Meta reportedly patched the enumeration bug in October through stricter rate-limiting. However, researchers had notified WhatsApp back in April 2025, raising concerns that malicious actors may have previously exploited the same loophole. This timeline fuels debates around the WhatsApp data scraping issue, especially given the long gap between discovery and remediation.
Importantly, the report clarifies that WhatsApp’s end-to-end encryption remains secure. But exposing basic details like phone numbers, photos, and About text still carries risk. Publicly accessible information can be stitched together into large datasets of private identities—another major dimension of WhatsApp privacy risks.
The most alarming part of the study warns: “In the hands of a malicious actor, this data could be used to construct a facial recognition–based lookup service — effectively a ‘reverse phone book’...” The paper further adds: “Beyond facial features, additional elements captured in profile pictures, such as license plates, street signs, or recognizable landmarks, could enable more sophisticated profiling…” These quotes illustrate how deeply personal data can be exploited, expanding the consequences of the WhatsApp profile photo leak.
Meta declined to comment on the findings when contacted by The Indian Express, leaving many questions unanswered about the handling of this WhatsApp data scraping issue.
Under the DPDP Act, a phone number or email address counts as personal data. But the Act does not protect data that users voluntarily make public—meaning anyone who sets their WhatsApp profile photo to “everyone” may not be shielded legally. This legal gap complicates the broader discussion on the WhatsApp contact discovery vulnerability and user accountability.
WhatsApp, however, still requires phone numbers for sign-ups. Users can reduce exposure by limiting profile photo and About visibility to “My Contacts” or “Nobody.” WhatsApp says it is working to strengthen defenses using rate-limiting and machine-learning systems to block scrapers—efforts aligned with growing concerns over WhatsApp security research findings.
WhatsApp’s vice president of engineering, Nitin Gupta, told Wired: “We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses.” He further added: “We have found no evidence of malicious actors abusing this vector.” His statement highlights WhatsApp’s response to the WhatsApp data scraping issue, though concerns persist.
Along with the phone numbers, researchers say they could also extract publicly visible WhatsApp profile photos of 62 per cent (46.5 crore) Indian users, plus information like the ‘About’ text, business account details, and companion-device usage. These details deepen the scale of the WhatsApp profile photo leak , showing how exposed user metadata becomes when privacy settings aren’t restrictive.
The findings are from a fresh research paper by computer scientists at the University of Vienna, who explained how they compiled this massive dataset by exploiting the platform’s contact-discovery feature. Their study sheds light on a critical WhatsApp contact discovery vulnerability , which allowed automated systems to verify numbers and extract public data at unprecedented scale.
For most users, simply saving a mobile number is enough to know whether someone is on WhatsApp. If privacy settings are open, profile photos and names also appear. While the feature feels convenient, researchers warn that this simplicity fuels significant WhatsApp privacy risks , especially when paired with automated tools.
The study shows how the contact-discovery feature can be misused through advanced methods leveraging WhatsApp’s XMPP endpoints, enabling mass-scale harvesting of user information. This is where the WhatsApp security research findings become especially troubling: of the 3.5 billion active accounts identified, 57 per cent had publicly visible profile photos, and in Brazil, 61 per cent of 206 million numbers revealed images.
Rate-limiting is typically used to prevent such abuse, but researchers claim WhatsApp did not restrict the speed of contact-discovery queries—particularly through the browser-based app. “In our study, we were able to probe over a hundred million phone numbers per hour without encountering blocking or effective rate limiting,” the paper states. This adds another layer to the WhatsApp contact discovery vulnerability, showing how easily automation can bypass safeguards.
Meta reportedly patched the enumeration bug in October through stricter rate-limiting. However, researchers had notified WhatsApp back in April 2025, raising concerns that malicious actors may have previously exploited the same loophole. This timeline fuels debates around the WhatsApp data scraping issue, especially given the long gap between discovery and remediation.
Importantly, the report clarifies that WhatsApp’s end-to-end encryption remains secure. But exposing basic details like phone numbers, photos, and About text still carries risk. Publicly accessible information can be stitched together into large datasets of private identities—another major dimension of WhatsApp privacy risks.
The most alarming part of the study warns: “In the hands of a malicious actor, this data could be used to construct a facial recognition–based lookup service — effectively a ‘reverse phone book’...” The paper further adds: “Beyond facial features, additional elements captured in profile pictures, such as license plates, street signs, or recognizable landmarks, could enable more sophisticated profiling…” These quotes illustrate how deeply personal data can be exploited, expanding the consequences of the WhatsApp profile photo leak.
You may also like
- Chinese temple goes up in flames after tourist's 'irresponsible candle use'
- India expands visa-on-arrival facility for UAE nationals to nine airports
- 316 mn women, 12.5 mn adolescent girls faced sexual violence in last 12 months: WHO
- India calls Joint Crediting Mechanism key tool for equitable, scalable climate action at COP30
- JP Power Share Price Surges 27% In Two Sessions, Stormy Rally Underway, What Happens Next?
Meta declined to comment on the findings when contacted by The Indian Express, leaving many questions unanswered about the handling of this WhatsApp data scraping issue.
What It Means for India
India is WhatsApp’s biggest market, with over 500 million monthly active users, making the implications of this discovery even more serious. The revelation comes just after the enforcement of India’s Digital Personal Data Protection (DPDP) rules, adding urgency to conversations around WhatsApp privacy risks under the new law.Under the DPDP Act, a phone number or email address counts as personal data. But the Act does not protect data that users voluntarily make public—meaning anyone who sets their WhatsApp profile photo to “everyone” may not be shielded legally. This legal gap complicates the broader discussion on the WhatsApp contact discovery vulnerability and user accountability.
How Users Can Protect Themselves
Platforms like Signal offer features such as username-based communication, allowing users to avoid sharing their phone numbers entirely. Features like hidden phone numbers provide additional layers of security—an ongoing part of the conversation around WhatsApp privacy risks and alternative messaging apps.WhatsApp, however, still requires phone numbers for sign-ups. Users can reduce exposure by limiting profile photo and About visibility to “My Contacts” or “Nobody.” WhatsApp says it is working to strengthen defenses using rate-limiting and machine-learning systems to block scrapers—efforts aligned with growing concerns over WhatsApp security research findings.
WhatsApp’s vice president of engineering, Nitin Gupta, told Wired: “We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses.” He further added: “We have found no evidence of malicious actors abusing this vector.” His statement highlights WhatsApp’s response to the WhatsApp data scraping issue, though concerns persist.
More from our partners
Loving Newspoint? Download the app now
