WhatsApp privacy risk? How researchers scraped data, profile pics from crores of Indian users

These findings are part of a new research paper published on Tuesday, November 18, by a group of computer scientists from the University of Vienna in Austria, who said that they were able to compile these large datasets of WhatsApp account information by taking advantage of the instant messaging platform’s contact-discovery feature.

A WhatsApp user can easily see if a contact is registered on the platform by saving the mobile number on their phone and checking whether it appears in the chat list. If the other user has not restricted visibility in their account settings, their profile photo and name often show up as well.

While the contact-discovery feature might be convenient for users to discover and initiate conversations with other users, it can also be abused to harvest WhatsApp profile data at scale using advanced techniques leveraging the platform’s XMPP endpoints, the research shows.

Of the 3.5 billion active accounts they identified globally, the researchers said they were able to scrape publicly visible profile photos of 57 per cent of users. In Brazil, 61 per cent of the 206 million WhatsApp-linked numbers they found had profile photos exposed – the largest share after India.

Generally, rate-limiting is considered to be a standard defence against such abuse. However, the researchers accused WhatsApp of failing to limit the speed or number of contact discovery requests that they could make by interacting with WhatsApp’s browser-based app. “In our study, we were able to probe over a hundred million phone numbers per hour without encountering blocking or effective rate limiting,” the paper read.

To note, the Meta-owned platform reportedly fixed the enumeration problem in October this year, by enacting a stricter “rate-limiting” measure against the mass-scale contact discovery method used by the researchers. However, the findings of the study were first brought to WhatsApp in April 2025, which means that other actors may have used the same scraping technique to harvest volumes of WhatsApp profile data in the past.

Importantly, the findings do not show that WhatsApp’s end-to-end encryption has been compromised. But even the exposure of basic user details such as phone number, About text, and profile photo can be used to create vast databases of personally identifiable information.

“In the hands of a malicious actor, this data could be used to construct a facial recognition–based lookup service — effectively a “reverse phone book” — where individuals and their related phone numbers and available metadata can be queried based on their face,” the research paper read. “Beyond facial features, additional elements captured in profile pictures, such as license plates, street signs, or recognizable landmarks, could enable more sophisticated profiling and leak a user’s identity, location, or daily environment,” it added.

Meta declined to comment on the findings when reached by The Indian Express.

A user’s phone number or email address is classified as ‘personal data’ under the DPDP Act, 2023, which defines ‘personal data breach’ as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.”

However, the provisions of the Act do not apply to personal data that has been made publicly available by users. This means that users who set their profile photo as publicly visible may not be protected under the existing law. On the other hand, WhatsApp still does not offer a way for users to discover and communicate with other users without using their phone numbers (although such a feature is said to be in beta).

How to safeguard yourself

Signal, the privacy-focused alternative to WhatsApp, rolled out a feature last year that lets users create a unique username that they can share with others instead of sharing their phone number. Additionally, users can choose to hide their phone numbers so that others using Signal won’t be able to see if that user has an account or even start a conversation with them unless they have their username.

But users still need a phone number to sign up on the platform.

As for WhatsApp, users can currently choose to make their profile information accessible only to their chosen contacts or nobody. WhatsApp also shows users regular in-app reminders to review their settings and enable privacy controls. The platform has said it is also implementing various defenses against scrapers, including rate-limiting and machine-learning techniques to block crawler bots.

“We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses,” Nitin Gupta, vice president of engineering at WhatsApp, was quoted as saying by Wired. “We have found no evidence of malicious actors abusing this vector,” he added.