WhatsApp’s user discovery mechanism harbors a phone number enumeration vulnerability, enabling adversaries to scalably probe account existence despite end-to-end encryption, posing severe privacy risks. Method: We develop the first high-throughput enumeration technique—achieving over 100 million numbers per hour—by combining bulk HTTP requests, rate-limit circumvention, traffic fingerprinting, and detection of X25519 key reuse across devices. We conduct a census-scale empirical analysis across ~3 billion accounts. Contribution/Results: Our study reveals that ~50% of phone numbers leaked in Facebook’s 2021 breach remain active on WhatsApp. It is the first to systematically identify and quantify cross-device cryptographic key reuse in WhatsApp’s infrastructure. Critically, our responsible disclosure prompted WhatsApp to redesign its core rate-limiting architecture, resulting in substantive security improvements. This work demonstrates both the persistent exploitability of the vulnerability and the efficacy of coordinated vulnerability disclosure in driving real-world protocol hardening.

WhatsApp, with 3.5 billion active accounts as of early 2025, is the world's largest instant messaging platform. Given its massive user base, WhatsApp plays a critical role in global communication. To initiate conversations, users must first discover whether their contacts are registered on the platform. This is achieved by querying WhatsApp's servers with mobile phone numbers extracted from the user's address book (if they allowed access). This architecture inherently enables phone number enumeration, as the service must allow legitimate users to query contact availability. While rate limiting is a standard defense against abuse, we revisit the problem and show that WhatsApp remains highly vulnerable to enumeration at scale. In our study, we were able to probe over a hundred million phone numbers per hour without encountering blocking or effective rate limiting. Our findings demonstrate not only the persistence but the severity of this vulnerability. We further show that nearly half of the phone numbers disclosed in the 2021 Facebook data leak are still active on WhatsApp, underlining the enduring risks associated with such exposures. Moreover, we were able to perform a census of WhatsApp users, providing a glimpse on the macroscopic insights a large messaging service is able to generate even though the messages themselves are end-to-end encrypted. Using the gathered data, we also discovered the re-use of certain X25519 keys across different devices and phone numbers, indicating either insecure (custom) implementations, or fraudulent activity. In this updated version of the paper, we also provide insights into the collaborative remediation process through which we confirmed that the underlying rate-limiting issue had been resolved.