Researchers compiled an inventory of three.5 billion WhatsApp cell phone numbers and related private data by abusing a contact-discovery API that lacked price limiting.
The workforce reported the difficulty to WhatsApp, and the corporate has since added rate-limiting protections to forestall comparable abuse.
Whereas this examine was performed by researchers who haven’t launched the information, it illustrates a typical tactic utilized by menace actors to scrape person data from publicly uncovered and unprotected APIs.
Abusing WhatsApp API
The researchers from the College of Vienna and SBA Analysis used WhatsApp’s contact-discovery function, which helps you to submit a cellphone quantity to the platform’s GetDeviceList API endpoint to find out whether or not a cellphone quantity is related to an account and what units had been used.
With out strict price limiting, APIs like this may be abused to carry out large-scale enumeration throughout a platform.
The researchers discovered this to be the case with WhatsApp, as they had been capable of ship a excessive quantity of queries on to WhatsApp’s servers, checking greater than 100 million numbers per hour.
They ran all the operation from a single college server utilizing simply 5 authenticated classes, initially anticipating to get caught by WhatsApp. Nonetheless, the platform by no means blocked the accounts, by no means throttled their visitors, by no means restricted their IP handle, and by no means reached out regardless of all of the abusive exercise coming from one system.
The researchers then generated a worldwide set of 63 billion potential cellular numbers and examined all of them in opposition to the API. Their queries returned 3.5 billion lively WhatsApp accounts.
The outcomes additionally gave a beforehand unknown snapshot of how WhatsApp is used globally, displaying the place the platform is most used:
- India: 749 million
- Indonesia: 235 million
- Brazil: 206 million
- United States: 138 million
- Russia: 133 million
- Mexico: 128 million
Thousands and thousands of lively accounts had been additionally recognized inside international locations the place WhatsApp was banned on the time, together with China, Iran, North Korea, and Myanmar. In Iran, utilization continued to develop because the ban was lifted in December 2024.
Along with confirming whether or not a cellphone quantity was used on WhatsApp, the researchers used different API endpoints to enumerate further details about customers, together with the GetUserInfo, GetPrekeys, and FetchPicture.
Utilizing these further APIs, the researchers had been capable of acquire profile images, “about” textual content, and details about different units related to a WhatsApp cellphone quantity.
A take a look at of US numbers downloaded 77 million profile images with none price limiting, with many displaying identifiable faces. If public “about” textual content was out there, it additionally revealed private particulars and hyperlinks to different social accounts.
Lastly, when the researchers in contrast their findings with the 2021 Fb phone-number scrape, they discovered that 58% of the leaked Fb numbers had been nonetheless lively on WhatsApp in 2025. The researchers clarify that large-scale cellphone quantity leaks are so damaging as a result of they will stay helpful in different malicious habits for years.
“With 3.5 B data (i.e., lively accounts), we analyze a dataset that might, to our information, classify as the most important knowledge leak in historical past, had it not been collated as a part of a responsibly-conducted analysis examine,” explains the “Hey there! You might be utilizing WhatsApp: Enumerating Three Billion Accounts for Safety and Privateness” paper.
“The dataset accommodates cellphone numbers, timestamps, about textual content, profile photos, and public keys for E2EE encryption, and its launch would entail opposed implications to the included customers.”
Different malicious instances of API abuse
WhatsApp’s lack of price limiting for its APIs is illustrative of a widespread difficulty on on-line platforms, the place APIs are designed to make it straightforward to share data and carry out duties, however additionally they grow to be vectors for large-scale scraping.
In 2021, menace actors exploited a bug in Fb’s “Add Buddy” function that allowed them to add contact lists from a cellphone and examine whether or not these contacts had been on the platform. Nonetheless, this API additionally didn’t correctly rate-limit requests, permitting menace actors to create profiles for 533 million customers that included their cellphone numbers, Fb IDs, names, and genders.
Meta later confirmed that the information got here from automated scraping of an API that lacked correct safeguards, with the Irish Knowledge Safety Fee (DPC) fining Meta €265 million over the leak.
Twitter confronted an analogous downside when attackers exploited an API vulnerability to match cellphone numbers and electronic mail addresses to 54 million accounts.
Dell disclosed that 49 million buyer data had been scraped after attackers abused an unprotected API endpoint.
All of those incidents, together with WhatsApp’s, are attributable to APIs that carry out account or knowledge lookups with out enough price limits, making them straightforward targets for large-scale enumeration.
Whether or not you are cleansing up previous keys or setting guardrails for AI-generated code, this information helps your workforce construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
