Researchers compiled a list of 3.5 billion WhatsApp mobile phone numbers and associated personal information by abusing a contact-discovery API that lacked rate limiting.
However, after the team reported the issue to WhatsApp, the company added rate-limiting protections to prevent similar abuse.
Ultimately, while this study came from researchers who have not released the data, it clearly illustrates a common tactic that threat actors use to scrape user information from publicly exposed and unprotected APIs.
WhatsApp Abuse
The researchers from the University of Vienna and SBA Research used WhatsApp’s contact-discovery feature, which lets you submit a phone number to the platform’s GetDeviceList API endpoint to determine whether the number belongs to an account and what devices the account uses. Moreover, without strict rate limiting, APIs like this allow anyone to abuse them and perform large-scale enumeration across a platform.
Because of this, the researchers found this exact scenario in WhatsApp, and they sent a high volume of queries directly to WhatsApp’s servers, checking more than 100 million numbers per hour.
They ran the entire operation from a single university server using just five authenticated sessions, initially expecting WhatsApp to catch them. However, the platform never blocked the accounts, never throttled their traffic, never restricted their IP address, and never reached out despite all the abusive activity coming from one device.
Afterward, the researchers generated a global set of 63 billion potential mobile numbers and tested all of them against the API. Their queries returned 3.5 billion active WhatsApp accounts.
The results also gave a previously unknown snapshot of how WhatsApp is used globally, showing where the platform is most used:
- India: 749 million
- Indonesia: 235 million
- Brazil: 206 million
- United States: 138 million
- Russia: 133 million
- Mexico: 128 million
Additionally, they identified millions of active accounts inside countries where WhatsApp was banned at the time, including China, Iran, North Korea, and Myanmar. In Iran, usage continued to grow as the ban was lifted in December 2024.
Other APIs
In addition to confirming whether someone used a phone number on WhatsApp, the researchers used other API endpoints—such as GetUserInfo, GetPrekeys, and FetchPicture—to enumerate additional information about users.
Through these additional APIs, the researchers collected profile photos, “about” text, and information about other devices associated with a WhatsApp phone number.
A test of US numbers downloaded 77 million profile photos without any rate limiting, and many showed identifiable faces. Furthermore, if public “about” text was available, it revealed personal details and links to other social accounts.
Finally, when the researchers compared their findings with the 2021 Facebook phone-number scrape, they found that 58% of the leaked Facebook numbers still remained active on WhatsApp in 2025. The researchers explain that large-scale phone-number leaks cause long-term damage because adversaries can reuse them in malicious behavior for years.
“With 3.5 B records (i.e., active accounts), we analyze a dataset that would, to our knowledge, classify as the largest data leak in history, had it not been collated as part of a responsibly-conducted research study,” explains the “Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy” paper.
“The dataset contains phone numbers, timestamps, about text, profile pictures, and public keys for E2EE encryption, and its release would entail adverse implications to the included users.”
Not just WhatsApp
WhatsApp’s lack of rate limiting for its APIs illustrates a widespread issue on online platforms, where APIs aim to make information sharing and task execution easy, yet they also create vectors for large-scale scraping.
For example, in 2021, threat actors exploited a bug in Facebook’s “Add Friend” feature that let them upload contact lists from a phone and check whether those contacts were on the platform.
However, this API also failed to properly rate-limit requests, allowing the actors to create profiles for 533 million users that included their phone numbers, Facebook IDs, names, and genders.
Meta later confirmed that the data came from automated scraping of an API that lacked proper safeguards, and the Irish Data Protection Commission (DPC) fined Meta €265 million over the leak.
Similarly, Twitter faced the same problem when attackers exploited an API vulnerability to match phone numbers and email addresses to 54 million accounts.
Likewise, Dell disclosed that attackers scraped 49 million customer records after they abused an unprotected API endpoint.
All of these incidents, including WhatsApp’s, arise because APIs perform account or data lookups without adequate rate limits, ultimately making them easy targets for large-scale enumeration.
Source: BleepingComputer, Lawrence Abrams
Read more at Impreza News
