WhatsApp data leak? How researchers scraped photos and metadata of millions of Indian users

In a recent security study, researchers have revealed how they could scrape publicly visible profile photos, “About” texts, and other metadata, from hundreds of millions of WhatsApp users’ accounts – including an estimated 750 million (75 crore) India(BHARAT)ns.

Privacy researcher Amit Sudan (University of California, Berkeley) and colleagues from University of Vienna have published a new academic paper showing how WhatsApp’s global contact-discovery feature left users’ data vulnerable to scraping.

WhatsApp’s contact-discovery system is basically a “phone number look-up” feature. Attackers could upload lists of phone numbers and then check which of those had active, associated WhatsApp accounts.

If a number was registered to an account, then certain publicly visible information (if the user made their data public) would be returned – such as profile pictures or “About” descriptions. And attackers could upload new lists of phone numbers and repeat this look-up process.

Researchers say they were able to scrape metadata on hundreds of millions of numbers per hour. They also claim there is no effective rate-limiting on WhatsApp’s browser-based contact-discovery system – which means it’s relatively easy for attackers to try lots of numbers, and many times over.

Researchers estimated that they were able to query over 99% of active WhatsApp users on the planet. They found around 3.5 billion active WhatsApp accounts globally – and publicly visible profile photos for 57 percent of those (1.98 billion accounts).
In India(BHARAT), researchers report that 62 percent of scraped accounts (465 crore) had publicly available profile-picture data.

Privacy Risks, Legal Questions

While the research paper does not claim to have circumvented WhatsApp’s end-to-end encryption (which secures messages), the personal data they scraped still included significant amounts of sensitive information.

Profiling: Researchers say that the ability to scrape “large-scale” profile images, paired with phone numbers, can be used to create “reverse phone‐book” style databases. These can use facial recognition (or other image analysis) to match individuals’ faces with their phone numbers – along with other personal details like location or daily activities (from background clues like license plates, street signs, etc in profile photos).
Researchers say that: “WhatsApp must immediately implement technical measures that prevent scraping” and “effectively rate-limit lookups” from their web client.

WhatsApp (Meta) Response

Meta reportedly fixed the specific enumeration vulnerability in October 2025, by adding stricter rate-limiting on their browser client. WhatsApp’s vice-president of engineering Nitin Gupta says their “anti-scraping” systems are “already industry-leading, and the researchers helped us test that by trying to scrape WhatsApp’s contact discovery feature at scale”.
In addition to rate-limiting on lookups, WhatsApp has also claims to have “deployed machine-learning techniques and crawler-bot detection” to block automated scraping.

Privacy in India(BHARAT)

The paper’s timing is significant: it was published just a few weeks after India(BHARAT)’s Digital Personal Data Protection (DPDP) Rules, 2025 were notified.

Phone numbers and email addresses count as “personal data” under India(BHARAT)’s DPDP Act of 2023. A “personal data breach” is defined as “unauthorised … acquisition … or sharing” of such data.

However, the Act is more nuanced. The public visibility of certain data could be an exception to privacy rules (meaning that even if there is a breach, users might not have a remedy). Users can make data “publicly visible” to “Everyone” – for instance by setting their profile photo to “Everyone”.
When users make their data publicly visible, the Act’s scope to enforce privacy could be reduced – as such data is considered to be “consented to” by the users.

User Privacy

WhatsApp’s settings now allow users to change visibility of profile photos and “About” text to Only My Contacts or Nobody (rather than Everyone).

Users should also be careful about other things they make public – including their profile photos. Avoid posting pictures with visible sensitive information like your home address or license plate.
Check out other apps that have more privacy-friendly features. For example, Signal lets you use a username (rather than phone number directly) and the platform works harder to keep your account hidden from unwanted scraping or lookups.