Security
WhatsApp API Vulnerability Exposes 3.5 Billion User Accounts to Scraping by Researchers
A recent study conducted by researchers revealed a concerning security issue involving WhatsApp, where 3.5 billion mobile phone numbers and personal information were compiled using an abuse of the platform’s contact-discovery API. This exploit was possible due to the API lacking rate limiting measures.
Upon discovering this vulnerability, the researchers promptly reported it to WhatsApp, leading to the implementation of rate-limiting protections to prevent similar breaches in the future.
This incident sheds light on a common tactic employed by malicious actors to extract user data from publicly accessible and unprotected APIs.
Uncovering the WhatsApp API Vulnerability
Researchers from the University of Vienna and SBA Research exploited WhatsApp’s contact-discovery feature, specifically utilizing the GetDeviceList API endpoint to identify account associations and devices linked to phone numbers.
The absence of strict rate limiting in such APIs allows for large-scale enumeration, as demonstrated in the case of WhatsApp. The researchers were able to query WhatsApp servers extensively, checking over 100 million numbers per hour without any hindrance.
Surprisingly, WhatsApp did not take any action to block the abusive activity originating from a single university server, where the researchers conducted their operations using just five authenticated sessions.
Through their efforts, the researchers compiled a global dataset of 3.5 billion active WhatsApp accounts, offering unprecedented insights into the platform’s usage across various countries.
- India: 749 million
- Indonesia: 235 million
- Brazil: 206 million
- United States: 138 million
- Russia: 133 million
- Mexico: 128 million
The researchers also identified active accounts in countries where WhatsApp was banned, including China, Iran, North Korea, and Myanmar. Notably, usage in Iran continued to grow after the ban was lifted in December 2024.
Aside from verifying phone numbers, the researchers utilized additional API endpoints like GetUserInfo, GetPrekeys, and FetchPicture to gather more information about users, such as profile photos, ‘about’ text, and associated devices.
For instance, a test involving US numbers resulted in the download of 77 million profile photos without any rate limiting, potentially exposing identifiable faces and personal details.
Comparing their findings with the 2021 Facebook phone-number leak, the researchers discovered that 58% of the leaked numbers were still active on WhatsApp in 2025. This highlights the long-lasting implications of large-scale data breaches.
The researchers caution against the release of the dataset they compiled, as it contains sensitive information like phone numbers, timestamps, ‘about’ text, profile pictures, and public keys for end-to-end encryption, posing significant risks to the affected users.
API Abuse and Data Security Challenges
The WhatsApp API incident underscores a broader issue of inadequate rate limiting in online platforms, making APIs vulnerable to exploitation for large-scale data scraping.
Similar security lapses have been observed in other tech giants like Facebook, Twitter, and Dell, where attackers leveraged API vulnerabilities to extract massive amounts of user data.
These incidents serve as a stark reminder of the importance of implementing robust security measures, including proper rate limiting, to safeguard user information and prevent unauthorized access.
Explore the latest insights from over 300 CISOs and security leaders on budget planning, spending strategies, and key priorities for 2026. Download the comprehensive report now!
Darkness Reborn: Gothic 1 Remake set to launch on June 5th
Xiaomi 18 Phones: Exclusive Detailed Specs Revealed
Selling Your Home: Essential Tips for a Smooth Transaction
Ransomware Strikes Back: How Reynolds BYOVD Driver Outsmarts EDR Security Measures
Siri Struggles: Apple’s Roadblocks with Voice Assistant Redesign
Nostalgia for Small Phones: How Android 16 Made Me Long for Simpler Times
iOS 26.4 Update Glitches and the Buzz around iOS 27
State-Sponsored Cyber Warfare: The AI Advantage
Collaborating for Success: Implementing a Unified Operating Model in the Semiconductor Sector
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook and Instagram to Reduce Personalized Ads for European Users
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Breaking Updates: Meta Connect 2025 Unveils Latest Developments
Samsung S22 Ultra vs S21 / iPhone 13 Pro Max / Pixel 6 Pro / Xiaomi 12 Pro Battery Life Drain Test!
I tested the BULLETPROOF iPhone.
POCO X4 Pro Review – $250 iPhone Destroyer?
10 Million!
17 WILDEST Inventions you won’t believe are REAL.
Apple’s 2022 products are even CRAZIER than you think.
I tested the CHEAPEST Gadgets on the Internet.
I bought the THINNEST Tech in the world.
The Samsung Smartphone Scandal: Explained
-
Facebook4 months agoEU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
-
Facebook4 months agoWarning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
-
Facebook4 months agoFacebook Compliance: ICE-tracking Page Removed After US Government Intervention
-
Facebook4 months agoInstaDub: Meta’s AI Translation Tool for Instagram Videos
-
Facebook2 months agoFacebook’s New Look: A Blend of Instagram’s Style
-
Facebook2 months agoFacebook and Instagram to Reduce Personalized Ads for European Users
-
Facebook2 months agoReclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
-
Apple4 months agoMeta discontinues Messenger apps for Windows and macOS
