WhatsApp’s Silent Exposure: How Researchers Uncovered 35 Billion Phone Numbers Through a Simple API Loophole

Listen to this Post

Featured Image

Introduction

For years, WhatsApp has been regarded as a fortress of privacy, a platform built on end-to-end encryption and trusted by billions. Yet behind the curtain, a quiet weakness allowed researchers to assemble one of the largest user datasets ever scraped from a major tech platform. They used no malware, no insider access, and no complex hacks. Instead, they exploited a single unprotected API feature that lacked one basic safeguard: rate limiting.

Below is a rewritten, expanded, deeply humanized version of the story, summarizing the findings and unpacking the implications for digital privacy.

A Global Snapshot of Exposure: What Researchers Actually Found

The revelation began when researchers from the University of Vienna and SBA Research discovered that WhatsApp’s contact-discovery API could be queried freely, at industrial scale, without triggering suspicion or rate limits. By simply sending phone numbers to the GetDeviceList endpoint, they could confirm which numbers had WhatsApp accounts and even identify the device types associated with those accounts.

Once they realized WhatsApp was not restricting queries, they pushed the test further. From one university server and only five authenticated sessions, they fired off more than 100 million requests per hour. No blocks. No warnings. No throttling. WhatsApp never intervened.

This allowed the team to run a global sweep of 63 billion possible mobile numbers. The results showed 3.5 billion active WhatsApp accounts, producing an unprecedented, real-time map of WhatsApp’s presence worldwide. The dataset revealed:

749 million accounts in India

235 million in Indonesia

206 million in Brazil

138 million in the United States

133 million in Russia

128 million in Mexico

What surprised researchers even more was the prevalence of active accounts in countries where WhatsApp was banned at the time, including China, Iran, North Korea, and Myanmar. Despite strict restrictions, millions still gained access. In Iran, usage even grew after the ban was lifted in December 2024.

But validating account ownership was only the beginning. The researchers pivoted to other WhatsApp APIs, including GetUserInfo, GetPrekeys, and FetchPicture, which exposed even more sensitive user data. A single test involving U.S. phone numbers harvested 77 million profile photos without rate limits, many showing identifiable faces. Public “about” texts revealed personal messages, work details, and even links to other social accounts.

The scale of exposure became especially alarming when compared to the infamous 2021 Facebook data scrape. More than half of the leaked Facebook numbers were still active on WhatsApp in 2025, proving that once a phone number appears in a breach, it can fuel malicious activity for years. Researchers noted that if the WhatsApp dataset had fallen into criminal hands, it would have been the largest data leak in history.

The study stresses that while the team never released the data, the information they collected underscores a simple truth: APIs without proper rate limits are a goldmine for threat actors. The WhatsApp case joins a growing list of major platforms blindsided by the very tools designed to make their services convenient and interconnected.

Facebook’s 533-million-profile scrape, Twitter’s 54-million exposed accounts, and Dell’s 49-million scraped customer records all stemmed from the same root cause: APIs that allow unlimited lookups. In each case, attackers needed no advanced hacking skills. They simply automated requests. And the systems responded with everything they asked for.

The WhatsApp incident finally pushed the company to implement stronger rate-limiting protections, but only after researchers disclosed the problem. It raises pressing questions about how many unchecked APIs are still out there today, quietly leaking information to whoever knows how to ask for it.

What Undercode Say:

The WhatsApp scraping revelation is not an isolated event but part of a broader systemic failure in how large platforms approach API security. Rate limiting is one of the most fundamental protections in the security playbook, yet it remains neglected across countless services. This incident shows how convenience often wins over caution in API design, and how developers sometimes focus more on functionality than abuse prevention.

From an attacker’s perspective, WhatsApp’s contact-discovery API was a perfect target. It required minimal authentication, responded instantly, and did not detect unusual behavior. When a single server can test 100 million numbers per hour without being flagged, you effectively hand threat actors a free enumeration engine capable of mapping the platform’s entire user base.

The consequences are deeper than simple phone-number exposure. Phone numbers act as digital anchors. They link messaging accounts, social media profiles, authentication systems, and sometimes even financial apps. When phone numbers leak, they enable phishing, impersonation, SIM-swap fraud, social engineering, and targeted harassment.

Even more concerning is how persistent these leaks are. Unlike passwords or tokens, phone numbers rarely change. A number leaked in 2021 remains exploitable in 2025. The researchers’ finding that 58 percent of breached Facebook numbers were still active on WhatsApp is a warning sign: the window of exploitation never truly closes.

What makes this incident stand out is that the data was gathered not by criminals but by academics following responsible disclosure practices. If hostile actors had discovered this loophole first, the outcome would have been catastrophic. A dataset of 3.5 billion WhatsApp accounts containing profile images, timestamps, “about” texts, and device keys would be a treasure trove for surveillance groups, cybercriminals, and state-sponsored actors.

This pattern repeats across other platforms. Facebook, Twitter, and Dell all suffered massive exposure due to APIs that were too open for their own good. Tech companies often underestimate how creative attackers can be when presented with an unprotected endpoint. And they underestimate how quickly automated tools can scale.

The WhatsApp case ultimately highlights a structural issue: APIs are growing faster than security teams can audit them. As companies race to add new features, they sometimes forget to build guardrails. And the result is that millions—even billions—of users unknowingly become vulnerable.

This story should be a wake-up call. Developers must rethink API security. Companies must build rate limits, authentication checks, and anomaly detection into every endpoint. And users need to understand that even the most trusted platforms can leak information silently, long before anyone notices.

🔍 Fact Checker Results

WhatsApp’s API lacked rate limiting at the time of testing, allowing large-scale enumeration. ✅

Researchers collected 3.5 billion active WhatsApp numbers with additional metadata. ✅

The scraped dataset was publicly leaked or distributed. ❌

📊 Prediction

WhatsApp and other platforms will tighten API controls in the coming months, reacting to increased scrutiny. 🔐
Threat actors will shift focus toward other overlooked APIs that still lack rate limits. 🔍
Phone-number-based identity systems will face mounting pressure to evolve or be replaced. 📱

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon