A major security vulnerability in WhatsApp exposed the personal information of nearly 3.5 billion users, according to researchers from the University of Vienna, Austria. The issue stemmed from a weakness in WhatsApp’s contact discovery feature, which the team reported to Meta, owner of the messaging platform.

The US tech giant has since taken steps to address and contain the problem. Researchers were able to use the simple method of checking every possible number in WhatsApp's contact discovery to extract 3.5 billion phone numbers.

By exploiting WhatsApp’s contact discovery mechanism, the researchers were able to send more than 100 million queries per hour, ultimately extracting over 3.5 billion active accounts across 245 countries.

The data accessed during the study consisted only of information already publicly visible to anyone with a user’s phone number. This included phone numbers, public keys, timestamps, and, if set to public, profile photos and “about” text.

Even so, the researchers were able to derive further insights, such as a user’s operating system, the age of their account and the number of companion devices linked to it. The findings show that even small amounts of publicly accessible data can reveal far more than expected.