Most major platforms have dealt with large-scale data leaks tied to weak or unprotected APIs. You’ve seen this play out with Facebook, X and even Dell.
The pattern is always the same. A feature meant to make life easier becomes a gateway for bulk data collection.
WhatsApp is now part of that list after researchers managed to scrape 3.5 billion phone numbers by exploiting a simple gap in the app’s contact-discovery system.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
WHATSAPP BANS 6.8M SCAM ACCOUNTS, LAUNCHES SAFETY TOOL
Researchers discovered that weak API limits made it possible to scrape billions of WhatsApp numbers. (Getty Images)
As reported by Bleeping Computer, the entire incident started with WhatsApp’s GetDeviceList API. This is the endpoint the app uses when you add a number to your contacts. It tells WhatsApp to check if that number has an account and what devices are linked to it. The problem was that the API had no meaningful rate limiting. In simple terms, the system didn’t slow down or block repeated requests, which opened the door for mass enumeration.
Researchers from the University of Vienna and SBA Research decided to test how far they could push this. Using only five authenticated sessions and a single university server, they started hammering WhatsApp’s servers with queries. They expected to get blocked fast, but WhatsApp didn’t react at all.
That’s how they were able to check more than 100 million phone numbers per hour. After generating a global pool of 63 billion possible mobile numbers, they ran the list through the API and confirmed 3.5 billion active WhatsApp accounts.
The researchers didn’t stop at confirming account existence. They used other WhatsApp endpoints like GetUserInfo, GetPrekeys and FetchPicture to pull more details. This included profile photos, “about” text, device information and public keys. A test run in the United States alone downloaded 77 million profile photos without hitting any limits, many with clear images of people’s faces. Public “about” sections often revealed personal info or links to other profiles. When compared to Facebook’s 2021 scrape, they found that 58% of leaked Facebook numbers were still active on WhatsApp years later. That’s what makes phone-number leaks so damaging. They stay useful to attackers long after the initial breach.
RUSSIAN LAWMAKERS CLAIM WHATSAPP IS A NATIONAL SECURITY THREAT, SHOULD PREPARE TO LEAVE THE COUNTRY
It’s important to note that this study was done by researchers who haven’t released the data. They also reported the issue to WhatsApp. The company has since added rate-limiting protections to prevent similar abuse from happening again. Still, the findings show how easily threat actors could have done the same thing if they had found the loophole first.
Weak or nonexistent API rate limits have caused several major data leaks in recent years, and WhatsApp isn’t the only example. In 2021, attackers abused Facebook’s “Add Friend” feature by uploading contact lists and checking which numbers matched active accounts. The API lacked proper safeguards, so they scraped 533 million profiles. Meta later confirmed the incident as automated scraping, and the Irish DPC fined the company €265 million.
Twitter had a similar problem when attackers used an API bug to match phone numbers and email addresses to 54 million accounts. Dell also reported that 49 million customer records were scraped after attackers took advantage of an unprotected API endpoint.
All of these cases share the same root cause. APIs that allow account lookups or data queries end up being easy to attack when they don’t limit how often someone can access them. One unchecked feature can turn into a pipeline for mass data collection.
If your phone number ends up in one of these massive scrapes, you can’t pull it back, but you can make sure it’s far less useful to anyone trying to target you. Here are a few steps that help you stay safer.
Turn on 2FA for WhatsApp and every other important account. Even if someone has your number, they can’t break in without that second verification step. It also protects you from SIM-swap attempts since thieves can’t access your accounts with just a password.
A simple automated script pulled phone data at a massive scale without triggering alerts. (eyecrave productions/Getty Images)
A password manager keeps every login unique. If attackers try to pair your scraped number with credential-stuffing attacks, reused passwords won’t give them an easy win. Strong, random passwords shut down a whole category of automated attacks.
Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.
Opt out of data brokers and people-search sites when you can. The less public information attackers can tie to your number, the harder it is for them to craft convincing phishing messages or identity-based scams.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
IS YOUR FRIEND’S PHONE NUMBER COMPROMISED? HERE’S WHAT TO LOOK FOR
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.
Keep your WhatsApp “about” text minimal. Avoid details like job titles, hometowns, or links to other accounts. Scraped phone numbers often get paired with publicly visible bios to build fuller profiles for scams.
Adjust who can see your profile photo, last-seen and status. Setting these to “Contacts only” or “Nobody” prevents strangers from pulling more personal info once they have your number. To tighten your privacy settings on WhatsApp on iPhone or Android, follow these steps:
These changes prevent people not in your contacts or strangers from pulling personal details from your WhatsApp profile, enhancing your privacy effectively on either iPhone or Android devices.
Because the system lacked proper rate-limiting, the scraping continued undetected for months. (Kurt Knutsson)
A lot of phishing and malware campaigns start with scraped numbers. Strong antivirus software can block malicious links, detect harmful downloads and warn you when something looks suspicious.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.
Treat unexpected messages with more suspicion. Don’t click links, don’t share OTPs, and don’t respond to anyone asking for verification codes. Once numbers are scraped, scammers ramp up spam and impersonation attempts.
WhatsApp might have fixed the issue, but the bigger problem is still out there. Any platform that exposes an API without proper rate limits is leaving a window open for someone with the right tools and enough time. This scrape shows you how quickly that window can turn into a firehose of personal data. Until API security becomes a priority across the board, you’ll keep seeing leaks like this repeat on bigger and bigger scales.
Do you think apps should be legally required to enforce strict API limits? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
Copyright 2025 CyberGuy.com. All rights reserved.
Holiday travel is stressful enough with crowded airports, expensive flights and last-minute itinerary changes. But…
When Xpeng unveiled its Next Gen Iron humanoid recently, the robot glided across the stage…
Cybercriminals keep finding new angles to get your attention, and email remains one of their…
Background activity can drain your battery and use your mobile data without you seeing it…
A new phishing scam is getting a lot of attention because it uses real Apple…
FoloToy paused sales of its AI teddy bear Kumma after a safety group found the…