A critical WhatsApp API vulnerability has been uncovered, revealing how researchers were able to collect 3.5 billion phone numbers and user details by exploiting the platform’s contact-discovery feature. The flaw, linked to WhatsApp’s GetDeviceList API, lacked essential rate-limiting protections, enabling large-scale enumeration of global phone numbers at unprecedented speed. While the researchers acted responsibly and did not release the dataset, the findings highlight a significant security gap that threat actors could have easily abused.
The research team from the University of Vienna and SBA Research demonstrated that WhatsApp’s contact-discovery API could be queried at a rate of over 100 million phone numbers per hour, all from a single server and using just five authenticated accounts. Despite the high volume of automated requests, WhatsApp never blocked the sessions, throttled traffic, or flagged the activity as suspicious — a sign that its security monitoring was insufficient for preventing mass scraping.
By generating a global pool of 63 billion possible mobile numbers, the researchers successfully identified 3.5 billion active WhatsApp accounts. The dataset revealed a previously unseen geographic breakdown of WhatsApp’s usage. Countries with the highest number of accounts included India (749M), Indonesia (235M), Brazil (206M), USA (138M), Russia (133M), and Mexico (128M). Notably, millions of accounts were found in regions where WhatsApp was banned at the time, such as China, Iran, and North Korea.
Beyond confirming active accounts, the researchers used additional APIs — including GetUserInfo, GetPrekeys, and FetchPicture — to collect profile photos, “about” messages, device metadata, and even encryption public keys linked to users. In the United States alone, the team retrieved 77 million profile photos, many of which contained identifiable faces. When users had public “about” text, the data often exposed personal statements or links to other social platforms.
The study also revealed worrying overlaps with historic leaks. After cross-referencing the scraped data with the 2021 Facebook phone-number breach, researchers found that 58% of the leaked Facebook numbers were still active on WhatsApp in 2025. This persistence, they noted, is exactly why large-scale phone-number leaks remain so dangerous — they continue enabling phishing, impersonation, SIM-swapping, fraud, and targeted attacks for years.
The researchers stated that had their dataset been leaked publicly, it would qualify as the largest data exposure in history. The study, titled “Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy,” underscores just how severe the consequences would have been: exposed phone numbers, timestamps, profile photos, bios, and even public keys could be weaponized in countless malicious operations.
This incident mirrors a growing pattern across the tech landscape. Other platforms — including Facebook, Twitter, and Dell — have suffered massive data leaks caused by APIs without proper rate limiting, allowing attackers to automate large-scale scraping. Meta faced a €265 million regulatory fine when 533 million Facebook user profiles were scraped in 2021. Twitter, too, saw 54 million user accounts impacted by an API vulnerability that allowed email and phone matching.
WhatsApp has since implemented rate-limiting protections to reduce the risk of similar abuse, but the incident highlights a broader issue: APIs built for convenience often become attack vectors when security controls lag behind user scale.
Conclusion:
The WhatsApp scraping incident serves as a wake-up call for the entire tech ecosystem. As digital platforms grow, their APIs must evolve with equally robust safeguards. Without strict rate limiting, behavior monitoring, and abuse prevention, even the world’s most-used messaging apps remain vulnerable to mass data harvesting. This case proves that the risks of under-secured APIs are not theoretical—they’re global, persistent, and potentially catastrophic.
