WhatsApp API Flaw Exposed 3.5 Billion User Accounts

A significant security vulnerability within WhatsApp’s application programming interface (API) allowed researchers to compile a list of 3.5 billion active user accounts along with associated personal details. This was accomplished by exploiting a contact-discovery feature that lacked proper rate-limiting safeguards. Following responsible disclosure by the research team, WhatsApp has since implemented protections to prevent such large-scale data scraping in the future. Although this particular study was conducted ethically without public data release, it starkly illustrates a common method threat actors employ to harvest user information from inadequately secured APIs.

The investigation, carried out by academics from the University of Vienna and SBA Research, focused on WhatsApp’s contact-discovery mechanism. This feature permits users to submit a phone number to the platform’s GetDeviceList API endpoint to verify if the number is registered and to identify associated devices. APIs without strict rate controls are inherently vulnerable to abuse, enabling attackers to perform mass enumeration across an entire platform. The researchers confirmed this weakness in WhatsApp, managing to dispatch a massive volume of queries directly to its servers, processing over one hundred million number checks every hour.

Remarkably, the entire operation was executed from a single university server using only five authenticated sessions. The team fully anticipated their activities would be flagged and blocked by WhatsApp’s security systems. Contrary to expectations, the platform took no defensive action: the accounts remained active, traffic was not throttled, IP addresses faced no restrictions, and no contact was initiated by the company despite all abusive queries originating from one source. This lack of intervention allowed the researchers to generate a global dataset of 63 billion possible mobile numbers and test each one against the API, successfully identifying 3.5 billion active WhatsApp accounts.

The findings provided an unprecedented view into WhatsApp’s global usage patterns, revealing its strongest user bases. India leads with 749 million users, followed by Indonesia (235 million), Brazil (206 million), the United States (138 million), Russia (133 million), and Mexico (128 million). The research also uncovered millions of active accounts in nations where WhatsApp was officially banned at the time, such as China, Iran, North Korea, and Myanmar. Notably, usage in Iran continued to grow, especially after the ban was lifted in December 2024.

Beyond simply confirming active numbers, the researchers leveraged additional API endpoints, GetUserInfo, GetPrekeys, and FetchPicture, to gather further user data. These interfaces allowed the collection of profile photographs, “about” text descriptions, and information about other devices linked to a WhatsApp account. A test targeting U.S. numbers successfully downloaded 77 million profile pictures without encountering any rate limits, many of which displayed clearly identifiable faces. Available “about” text often revealed personal details and links to other social media profiles, compounding the privacy risks.

When the researchers cross-referenced their findings with data from the 2021 Facebook phone-number breach, they discovered that 58% of the numbers leaked from Facebook were still active on WhatsApp in 2025. This demonstrates the long-term danger of large-scale phone number exposures, as such data remains valuable for malicious activities for many years. The researchers noted in their paper, “Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy,” that their compiled dataset of 3.5 billion records would constitute the largest data leak in history if it had been collected with malicious intent. The dataset included phone numbers, timestamps, profile text, photographs, and public encryption keys, the exposure of which would have severe implications for user privacy.

WhatsApp’s failure to implement API rate limiting is emblematic of a broader security issue affecting many online platforms. APIs are designed to facilitate information sharing and task execution, yet they frequently become vectors for mass data scraping when left unprotected. In 2021, threat actors exploited a flaw in Facebook’s “Add Friend” feature, uploading phone contact lists to check for platform membership. That API also lacked proper rate controls, enabling the creation of detailed profiles for 533 million users, complete with phone numbers, Facebook IDs, names, and genders. Meta later acknowledged the data resulted from automated scraping of an inadequately secured API, resulting in a €265 million fine from the Irish Data Protection Commission.

Twitter encountered a comparable issue when attackers used an API vulnerability to associate phone numbers and email addresses with 54 million user accounts. Similarly, Dell reported that 49 million customer records were extracted after attackers abused an unprotected API endpoint. Each of these incidents, including the WhatsApp case, stems from APIs that perform account or data lookups without sufficient rate limiting, rendering them easy targets for large-scale enumeration by malicious actors.

(Source: Bleeping Computer)