InfoSecBulletin Cybersecurity for mankind
Researchers gathered 3.5 billion WhatsApp phone numbers and personal information by abusing a contact-discovery API without proper rate limiting.
This study shows a common tactic used by threat actors to collect user information from unprotected public APIs, even though the researchers haven’t shared the data.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Abusing WhatsApp API:
The researchers from the University of Vienna and SBA Research used WhatsApp’s contact-discovery feature, which lets you submit a phone number to the platform’s GetDeviceList API endpoint to determine whether a phone number is associated with an account and what devices were used.
Without strict rate limiting, APIs can be misused for extensive enumeration on a platform. Researchers discovered that WhatsApp could handle a high volume of queries, processing over 100 million numbers per hour directly to its servers.
They conducted the operation from one university server with only five sessions, expecting WhatsApp to catch them. However, WhatsApp never blocked their accounts, throttled their traffic, restricted their IP, or contacted them despite the abuse from one device.
Researchers created a global list of 63 billion possible mobile numbers and tested them using the API, finding 3.5 billion active WhatsApp accounts including Bangladesh.
Millions of active accounts were found in countries where WhatsApp was banned, such as China, Iran, North Korea, and Myanmar. In Iran, usage increased after the ban was lifted in December 2024.
Researchers confirmed if a phone number was on WhatsApp and gathered more user info using other API endpoints like GetUserInfo, GetPrekeys, and FetchPicture.
Using these additional APIs, the researchers were able to collect profile photos, “about” text, and information about other devices associated with a WhatsApp phone number.
A test of US numbers downloaded 77 million profile photos without any rate limiting, with many showing identifiable faces. If public “about” text was available, it also revealed personal details and links to other social accounts.
Researchers discovered that 58% of Facebook numbers leaked in 2021 were still active on WhatsApp in 2025. They noted that large-scale phone number leaks pose long-term risks as they can facilitate harmful activities for years.
“With 3.5 B records (i.e., active accounts), we analyze a dataset that would, to our knowledge, classify as the largest data leak in history, had it not been collated as part of a responsibly conducted research study,” explains the “Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy” paper.
“The dataset contains phone numbers, timestamps, about text, profile pictures, and public keys for E2EE encryption, and its release would entail adverse implications to the included users.”
The team reported the issue to WhatsApp, and the company has since added rate-limiting protections to prevent similar abuse.
