Monday , July 13 2026
API

WhatsApp API flaw let researchers scrape millions of Bangladeshi accounts

Researchers gathered 3.5 billion WhatsApp phone numbers and personal information by abusing a contact-discovery API without proper rate limiting.

This study shows a common tactic used by threat actors to collect user information from unprotected public APIs, even though the researchers haven’t shared the data.

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

Abusing WhatsApp API:

The researchers from the University of Vienna and SBA Research used WhatsApp’s contact-discovery feature, which lets you submit a phone number to the platform’s GetDeviceList API endpoint to determine whether a phone number is associated with an account and what devices were used.

Without strict rate limiting, APIs can be misused for extensive enumeration on a platform. Researchers discovered that WhatsApp could handle a high volume of queries, processing over 100 million numbers per hour directly to its servers.

They conducted the operation from one university server with only five sessions, expecting WhatsApp to catch them. However, WhatsApp never blocked their accounts, throttled their traffic, restricted their IP, or contacted them despite the abuse from one device.

Source: University of Vienna and SBA Research

Researchers created a global list of 63 billion possible mobile numbers and tested them using the API, finding 3.5 billion active WhatsApp accounts including Bangladesh.

Millions of active accounts were found in countries where WhatsApp was banned, such as China, Iran, North Korea, and Myanmar. In Iran, usage increased after the ban was lifted in December 2024.

Researchers confirmed if a phone number was on WhatsApp and gathered more user info using other API endpoints like GetUserInfo, GetPrekeys, and FetchPicture.

Using these additional APIs, the researchers were able to collect profile photos, “about” text, and information about other devices associated with a WhatsApp phone number.

A test of US numbers downloaded 77 million profile photos without any rate limiting, with many showing identifiable faces. If public “about” text was available, it also revealed personal details and links to other social accounts.

Researchers discovered that 58% of Facebook numbers leaked in 2021 were still active on WhatsApp in 2025. They noted that large-scale phone number leaks pose long-term risks as they can facilitate harmful activities for years.

“With 3.5 B records (i.e., active accounts), we analyze a dataset that would, to our knowledge, classify as the largest data leak in history, had it not been collated as part of a responsibly conducted research study,” explains the “Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy” paper.

“The dataset contains phone numbers, timestamps, about text, profile pictures, and public keys for E2EE encryption, and its release would entail adverse implications to the included users.”

The team reported the issue to WhatsApp, and the company has since added rate-limiting protections to prevent similar abuse.

Check Also

botnet

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a …