Researchers compiled a listing of three.5 billion WhatsApp cell phone numbers and related private data by abusing a contact-discovery API that lacked price limiting.
The crew reported the problem to WhatsApp, and the corporate has since added rate-limiting protections to forestall related abuse.
Whereas this examine was carried out by researchers who haven’t launched the info, it illustrates a standard tactic utilized by risk actors to scrape consumer data from publicly uncovered and unprotected APIs.
Abusing WhatsApp API
The researchers from the College of Vienna and SBA Analysis used WhatsApp’s contact-discovery characteristic, which helps you to submit a telephone quantity to the platform’s GetDeviceList API endpoint to find out whether or not a telephone quantity is related to an account and what units have been used.
With out strict price limiting, APIs like this may be abused to carry out large-scale enumeration throughout a platform.
The researchers discovered this to be the case with WhatsApp, as they have been in a position to ship a excessive quantity of queries on to WhatsApp’s servers, checking greater than 100 million numbers per hour.
They ran your complete operation from a single college server utilizing simply 5 authenticated periods, initially anticipating to get caught by WhatsApp. Nonetheless, the platform by no means blocked the accounts, by no means throttled their visitors, by no means restricted their IP tackle, and by no means reached out regardless of all of the abusive exercise coming from one machine.
The researchers then generated a world set of 63 billion potential cellular numbers and examined all of them towards the API. Their queries returned 3.5 billion lively WhatsApp accounts.
The outcomes additionally gave a beforehand unknown snapshot of how WhatsApp is used globally, exhibiting the place the platform is most used:
- India: 749 million
- Indonesia: 235 million
- Brazil: 206 million
- United States: 138 million
- Russia: 133 million
- Mexico: 128 million
Hundreds of thousands of lively accounts have been additionally recognized inside international locations the place WhatsApp was banned on the time, together with China, Iran, North Korea, and Myanmar. In Iran, utilization continued to develop because the ban was lifted in December 2024.
Along with confirming whether or not a telephone quantity was used on WhatsApp, the researchers used different API endpoints to enumerate extra details about customers, together with the GetUserInfo, GetPrekeys, and FetchPicture.
Utilizing these extra APIs, the researchers have been in a position to accumulate profile images, “about” textual content, and details about different units related to a WhatsApp telephone quantity.
A take a look at of US numbers downloaded 77 million profile images with none price limiting, with many exhibiting identifiable faces. If public “about” textual content was obtainable, it additionally revealed private particulars and hyperlinks to different social accounts.
Lastly, when the researchers in contrast their findings with the 2021 Fb phone-number scrape, they discovered that 58% of the leaked Fb numbers have been nonetheless lively on WhatsApp in 2025. The researchers clarify that large-scale telephone quantity leaks are so damaging as a result of they will stay helpful in different malicious conduct for years.
“With 3.5 B data (i.e., lively accounts), we analyze a dataset that might, to our information, classify as the biggest knowledge leak in historical past, had it not been collated as a part of a responsibly-conducted analysis examine,” explains the “Hey there! You’re utilizing WhatsApp: Enumerating Three Billion Accounts for Safety and Privateness” paper.
“The dataset accommodates telephone numbers, timestamps, about textual content, profile footage, and public keys for E2EE encryption, and its launch would entail antagonistic implications to the included customers.”
Different malicious instances of API abuse
WhatsApp’s lack of price limiting for its APIs is illustrative of a widespread difficulty on on-line platforms, the place APIs are designed to make it simple to share data and carry out duties, however in addition they change into vectors for large-scale scraping.
In 2021, risk actors exploited a bug in Fb’s “Add Pal” characteristic that allowed them to add contact lists from a telephone and verify whether or not these contacts have been on the platform. Nonetheless, this API additionally didn’t correctly rate-limit requests, permitting risk actors to create profiles for 533 million customers that included their telephone numbers, Fb IDs, names, and genders.
Meta later confirmed that the info got here from automated scraping of an API that lacked correct safeguards, with the Irish Information Safety Fee (DPC) fining Meta €265 million over the leak.
Twitter confronted the same downside when attackers exploited an API vulnerability to match telephone numbers and electronic mail addresses to 54 million accounts.
Dell disclosed that 49 million buyer data have been scraped after attackers abused an unprotected API endpoint.
All of those incidents, together with WhatsApp’s, are attributable to APIs that carry out account or knowledge lookups with out ample price limits, making them simple targets for large-scale enumeration.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and knowledge, safety groups are transferring quick to maintain these new providers protected.
This free cheat sheet outlines 7 greatest practices you can begin utilizing as we speak.
