Most major platforms have dealt with large-scale data leaks tied to weak or unprotected APIs. You’ve seen this play out with Facebook, X and even Dell.

The pattern is always the same. A feature meant to make life easier becomes a gateway for bulk data collection.

WhatsApp is now part of that list after researchers managed to scrape 3.5 billion phone numbers by exploiting a simple gap in the app’s contact-discovery system.

Sign up for my FREE CyberGuy Report 
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.   

How the researchers scraped 3.5B WhatsApp numbers

WHATSAPP BANS 6.8M SCAM ACCOUNTS, LAUNCHES SAFETY TOOL

As reported by Bleeping Computer, the entire incident started with WhatsApp’s GetDeviceList API. This is the endpoint the app uses when you add a number to your contacts. It tells WhatsApp to check if that number has an account and what devices are linked to it. The problem was that the API had no meaningful rate limiting. In simple terms, the system didn’t slow down or block repeated requests, which opened the door for mass enumeration.

Researchers from the University of Vienna and SBA Research decided to test how far they could push this. Using only five authenticated sessions and a single university server, they started hammering WhatsApp’s servers with queries. They expected to get blocked fast, but WhatsApp didn’t react at all.

That’s how they were able to check more than 100 million phone numbers per hour. After generating a global pool of 63 billion possible mobile numbers, they ran the list through the API and confirmed 3.5 billion active WhatsApp accounts.

Researchers managed to scrape more than just phone numbers

The researchers didn’t stop at confirming account existence. They used other WhatsApp endpoints like GetUserInfo, GetPrekeys and FetchPicture to pull more details. This included profile photos, “about” text, device information and public keys. A test run in the United States alone downloaded 77 million profile photos without hitting any limits, many with clear images of people’s faces. Public “about” sections often revealed personal info or links to other profiles. When compared to Facebook’s 2021 scrape, they found that 58% of leaked Facebook numbers were still active on WhatsApp years later. That’s what makes phone-number leaks so damaging. They stay useful to attackers long after the initial breach.

RUSSIAN LAWMAKERS CLAIM WHATSAPP IS A NATIONAL SECURITY THREAT, SHOULD PREPARE TO LEAVE THE COUNTRY

It’s important to note that this study was done by researchers who haven’t released the data. They also reported the issue to WhatsApp. The company has since added rate-limiting protections to prevent similar abuse from happening again. Still, the findings show how easily threat actors could have done the same thing if they had found the loophole first.

Why this keeps happening across major platforms

Weak or nonexistent API rate limits have caused several major data leaks in recent years, and WhatsApp isn’t the only example. In 2021, attackers abused Facebook’s “Add Friend” feature by uploading contact lists and checking which numbers matched active accounts. The API lacked proper safeguards, so they scraped 533 million profiles. Meta later confirmed the incident as automated scraping, and the Irish DPC fined the company €265 million.

Twitter had a similar problem when attackers used an API bug to match phone numbers and email addresses to 54 million accounts. Dell also reported that 49 million customer records were scraped after attackers took advantage of an unprotected API endpoint.

All of these cases share the same root cause. APIs that allow account lookups or data queries end up being easy to attack when they don’t limit how often someone can access them. One unchecked feature can turn into a pipeline for mass data collection.

7 steps you can take to keep your WhatsApp data safe

If your phone number ends up in one of these massive scrapes, you can’t pull it back, but you can make sure it’s far less useful to anyone trying to target you. Here are a few steps that help you stay safer.

1) Use two-factor authentication

Turn on 2FA for WhatsApp and every other important account. Even if someone has your number, they can’t break in without that second verification step. It also protects you from SIM-swap attempts since thieves can’t access your accounts with just a password.

2) Use a password manager

A password manager keeps every login unique. If attackers try to pair your scraped number with credential-stuffing attacks, reused passwords won’t give them an easy win. Strong, random passwords shut down a whole category of automated attacks.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

3) Remove your data from public databases

Opt out of data brokers and people-search sites when you can. The less public information attackers can tie to your number, the harder it is for them to craft convincing phishing messages or identity-based scams.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

IS YOUR FRIEND’S PHONE NUMBER COMPROMISED? HERE’S WHAT TO LOOK FOR

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

4) Limit what you share in profile bios

Keep your WhatsApp “about” text minimal. Avoid details like job titles, hometowns, or links to other accounts. Scraped phone numbers often get paired with publicly visible bios to build fuller profiles for scams.

5) Tighten your privacy settings

Adjust who can see your profile photo, last-seen and status. Setting these to “Contacts only” or “Nobody” prevents strangers from pulling more personal info once they have your number. To tighten your privacy settings on WhatsApp on iPhone or Android, follow these steps:

• Open WhatsApp on your phone on your phone.
• Go to Settings: On iPhone, tap the “Settings” gear icon at the bottom right. On Android, tap the three vertical dots in the top-right corner, then select “Settings.”
• Tap “Account.”
• Tap “Privacy.”
• Adjust the privacy options below to control who can see your personal info:
• Last Seen & Online: Tap “Last Seen & Online” and choose “My Contacts” or “Nobody” to restrict who sees your last active status.
• Profile Photo: Tap “Profile Photo” and select “My Contacts” or “Nobody” to prevent strangers from viewing your profile picture.
• About: Tap “About” and pick “My Contacts” or “Nobody” to limit who can see your About info.
• Status: Tap “Status,” then select “My Contacts,” “My Contacts Except…,” or “Only Share With…” to control who can view your status updates.

These changes prevent people not in your contacts or strangers from pulling personal details from your WhatsApp profile, enhancing your privacy effectively on either iPhone or Android devices.

6) Install strong antivirus software

A lot of phishing and malware campaigns start with scraped numbers. Strong antivirus software can block malicious links, detect harmful downloads and warn you when something looks suspicious.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

7) Be cautious with unknown calls and messages

Treat unexpected messages with more suspicion. Don’t click links, don’t share OTPs, and don’t respond to anyone asking for verification codes. Once numbers are scraped, scammers ramp up spam and impersonation attempts.

Kurt’s key takeaway

WhatsApp might have fixed the issue, but the bigger problem is still out there. Any platform that exposes an API without proper rate limits is leaving a window open for someone with the right tools and enough time. This scrape shows you how quickly that window can turn into a firehose of personal data. Until API security becomes a priority across the board, you’ll keep seeing leaks like this repeat on bigger and bigger scales.

Do you think apps should be legally required to enforce strict API limits? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter. 

Copyright 2025 CyberGuy.com.  All rights reserved.

Scientists in Switzerland have built a robot as small as a grain of sand. Surgeons control it with magnets and move it through blood vessels to place medicine exactly where it is needed.

Bradley J. Nelson, an author of the paper in Science and a professor of robotics at ETH Zurich, said the team has barely begun to understand what this technology will make possible. He expects surgeons will find many new uses once they see how precise the tool becomes inside the body.

Sign up for my FREE CyberGuy Report 
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

RICE-SIZED ROBOT COULD MAKE BRAIN SURGERY SAFER AND LESS INVASIVE

How the magnet steered microrobot works

The robot sits inside a capsule that surgeons guide with magnetic fields. They steer it with a handheld controller that feels familiar and intuitive. Surrounding the patient are six electromagnetic coils. Each coil generates a magnetic force that can push or pull the capsule in any direction.

By combining the fields, surgeons can navigate through blood vessels or cerebrospinal fluid with accuracy. The magnetic force is strong enough to move the capsule even against the flow of blood. This control lets the robot reach places most tools cannot access safely.

The capsule is made from safe materials used in other medical devices such as tantalum, which gives it visibility on X-rays. It also contains iron oxide nanoparticles developed at ETH Zurich. These particles respond to magnets and help the capsule move. Gelatin binds the nanoparticles, the metal and the medication together.

When the capsule reaches its target, surgeons can dissolve the capsule on command. Doctors track every move in real time with X-ray imaging.

HUMANOID ROBOT PERFORMS MEDICAL PROCEDURES VIA REMOTE CONTROL

Why targeted drug delivery matters

Many drugs fail during development because they spread through the entire body rather than staying at the site that needs treatment. That spread causes unwanted side effects. Even simple medicines like aspirin show how this works. You take a pill for a headache, and yet the drug flows everywhere.

A microrobot that can deliver medication directly to a tumor, blood vessel or abnormal tissue could solve that problem. ETH Zurich researchers say the capsule may help treat aneurysms, aggressive brain cancers, and arteriovenous malformations. Tests in pigs and silicone blood vessel models show encouraging results. The team believes this system may reach human clinical trials within three to five years.

What this means to you

If this technology succeeds, future treatments may feel very different from the ones you get today. Instead of receiving medicine that affects your whole body, you may receive therapy that reaches only the exact spot that needs attention. That shift could reduce side effects, shorten recovery times and open the door to new drug designs that were once too risky to use.

Precision care also has the potential to make complex procedures safer for patients who cannot tolerate invasive surgery. Families dealing with aggressive cancers or delicate vascular conditions may eventually benefit from approaches that rely on targeted tools instead of broad systemic drugs.

ROBOTS PERFORM LIKE HUMAN SURGEONS BY JUST WATCHING VIDEOS

Take my quiz: How safe is your online security?

Think your devices and data are truly protected? Take this quick quiz to see where your digital habits stand. From passwords to Wi-Fi settings, you’ll get a personalized breakdown of what you’re doing right and what needs improvement. Take my Quiz here: Cyberguy.com.

Kurt’s key takeaways

The idea of a grain-sized robot navigating the bloodstream sounds bold, yet the science behind it is moving forward fast. Researchers have shown that the capsule moves with precision, tracks well under imaging and dissolves on command. Early results hint at a future where drug delivery becomes far more focused and far less harmful. This work still sits in the early stages, but it already points toward a new era of medical robotics.

If doctors could send a tiny robot directly to the source of a medical problem, what treatment would you want this technology to improve first? Let us know by writing to us at Cyberguy.com.

Sign up for my FREE CyberGuy Report 
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.

Copyright 2025 CyberGuy.com.  All rights reserved.