Researchers in Austria say they have uncovered what could be the largest data leak in history after exploiting a flaw in messaging platform WhatsApp to collect personal details of more than 3.5 billion users.

The team found that WhatsApp’s longstanding feature allowing users to look up accounts by entering phone numbers can be abused to “enumerate” massive amounts of user data — including phone numbers, names, and in many cases profile photos.

Using a tool built with technology from libphonenumber, the researchers generated 63 billion phone numbers and queried them at a rate of over 100 million accounts per hour. They said WhatsApp imposed no effective rate-limiting, allowing them to confirm 3.5 billion registered numbers — far higher than the “more than 2 billion” figure previously cited by the platform.

According to their report, 57 percent of active accounts examined had a profile photo, two-thirds of which showed identifiable human faces. Another 29 percent contained text revealing personal information, potentially including sexual orientation, political views, drug-related activity, professional email addresses, and links to platforms such as LinkedIn and Tinder.

The researchers warned that such data could enable the creation of a “reverse phonebook,” where a person’s image or text leads to further sensitive details, including identities of government and military personnel.

They also reported millions of active WhatsApp accounts linked to phone numbers from countries where the platform is banned, including China, raising concerns about potential persecution for circumventing restrictions.

Beyond state risks, the team said large-scale databases of active phone numbers can fuel spam, phishing, and robocall campaigns. They found that nearly half the numbers leaked during the 2021 Facebook data scrape remain active on WhatsApp today, highlighting long-term exposure.

WhatsApp has not yet commented on the findings.