Most major platforms have dealt with large-scale data leaks tied to weak or unprotected APIs. You’ve seen this play out with Facebook, X and even Dell.

The pattern is always the same. A feature meant to make life easier becomes a gateway for bulk data collection.

WhatsApp is now part of that list after researchers managed to scrape 3.5 billion phone numbers by exploiting a simple gap in the app’s contact-discovery system.

Sign up for my FREE CyberGuy Report 
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.   

How the researchers scraped 3.5B WhatsApp numbers

WHATSAPP BANS 6.8M SCAM ACCOUNTS, LAUNCHES SAFETY TOOL

As reported by Bleeping Computer, the entire incident started with WhatsApp’s GetDeviceList API. This is the endpoint the app uses when you add a number to your contacts. It tells WhatsApp to check if that number has an account and what devices are linked to it. The problem was that the API had no meaningful rate limiting. In simple terms, the system didn’t slow down or block repeated requests, which opened the door for mass enumeration.

Researchers from the University of Vienna and SBA Research decided to test how far they could push this. Using only five authenticated sessions and a single university server, they started hammering WhatsApp’s servers with queries. They expected to get blocked fast, but WhatsApp didn’t react at all.

That’s how they were able to check more than 100 million phone numbers per hour. After generating a global pool of 63 billion possible mobile numbers, they ran the list through the API and confirmed 3.5 billion active WhatsApp accounts.

Researchers managed to scrape more than just phone numbers

The researchers didn’t stop at confirming account existence. They used other WhatsApp endpoints like GetUserInfo, GetPrekeys and FetchPicture to pull more details. This included profile photos, “about” text, device information and public keys. A test run in the United States alone downloaded 77 million profile photos without hitting any limits, many with clear images of people’s faces. Public “about” sections often revealed personal info or links to other profiles. When compared to Facebook’s 2021 scrape, they found that 58% of leaked Facebook numbers were still active on WhatsApp years later. That’s what makes phone-number leaks so damaging. They stay useful to attackers long after the initial breach.

RUSSIAN LAWMAKERS CLAIM WHATSAPP IS A NATIONAL SECURITY THREAT, SHOULD PREPARE TO LEAVE THE COUNTRY

It’s important to note that this study was done by researchers who haven’t released the data. They also reported the issue to WhatsApp. The company has since added rate-limiting protections to prevent similar abuse from happening again. Still, the findings show how easily threat actors could have done the same thing if they had found the loophole first.

Why this keeps happening across major platforms

Weak or nonexistent API rate limits have caused several major data leaks in recent years, and WhatsApp isn’t the only example. In 2021, attackers abused Facebook’s “Add Friend” feature by uploading contact lists and checking which numbers matched active accounts. The API lacked proper safeguards, so they scraped 533 million profiles. Meta later confirmed the incident as automated scraping, and the Irish DPC fined the company €265 million.

Twitter had a similar problem when attackers used an API bug to match phone numbers and email addresses to 54 million accounts. Dell also reported that 49 million customer records were scraped after attackers took advantage of an unprotected API endpoint.

All of these cases share the same root cause. APIs that allow account lookups or data queries end up being easy to attack when they don’t limit how often someone can access them. One unchecked feature can turn into a pipeline for mass data collection.

7 steps you can take to keep your WhatsApp data safe

If your phone number ends up in one of these massive scrapes, you can’t pull it back, but you can make sure it’s far less useful to anyone trying to target you. Here are a few steps that help you stay safer.

1) Use two-factor authentication

Turn on 2FA for WhatsApp and every other important account. Even if someone has your number, they can’t break in without that second verification step. It also protects you from SIM-swap attempts since thieves can’t access your accounts with just a password.

2) Use a password manager

A password manager keeps every login unique. If attackers try to pair your scraped number with credential-stuffing attacks, reused passwords won’t give them an easy win. Strong, random passwords shut down a whole category of automated attacks.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

3) Remove your data from public databases

Opt out of data brokers and people-search sites when you can. The less public information attackers can tie to your number, the harder it is for them to craft convincing phishing messages or identity-based scams.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

IS YOUR FRIEND’S PHONE NUMBER COMPROMISED? HERE’S WHAT TO LOOK FOR

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

4) Limit what you share in profile bios

Keep your WhatsApp “about” text minimal. Avoid details like job titles, hometowns, or links to other accounts. Scraped phone numbers often get paired with publicly visible bios to build fuller profiles for scams.

5) Tighten your privacy settings

Adjust who can see your profile photo, last-seen and status. Setting these to “Contacts only” or “Nobody” prevents strangers from pulling more personal info once they have your number. To tighten your privacy settings on WhatsApp on iPhone or Android, follow these steps:

• Open WhatsApp on your phone on your phone.
• Go to Settings: On iPhone, tap the “Settings” gear icon at the bottom right. On Android, tap the three vertical dots in the top-right corner, then select “Settings.”
• Tap “Account.”
• Tap “Privacy.”
• Adjust the privacy options below to control who can see your personal info:
• Last Seen & Online: Tap “Last Seen & Online” and choose “My Contacts” or “Nobody” to restrict who sees your last active status.
• Profile Photo: Tap “Profile Photo” and select “My Contacts” or “Nobody” to prevent strangers from viewing your profile picture.
• About: Tap “About” and pick “My Contacts” or “Nobody” to limit who can see your About info.
• Status: Tap “Status,” then select “My Contacts,” “My Contacts Except…,” or “Only Share With…” to control who can view your status updates.

These changes prevent people not in your contacts or strangers from pulling personal details from your WhatsApp profile, enhancing your privacy effectively on either iPhone or Android devices.

6) Install strong antivirus software

A lot of phishing and malware campaigns start with scraped numbers. Strong antivirus software can block malicious links, detect harmful downloads and warn you when something looks suspicious.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

7) Be cautious with unknown calls and messages

Treat unexpected messages with more suspicion. Don’t click links, don’t share OTPs, and don’t respond to anyone asking for verification codes. Once numbers are scraped, scammers ramp up spam and impersonation attempts.

Kurt’s key takeaway

WhatsApp might have fixed the issue, but the bigger problem is still out there. Any platform that exposes an API without proper rate limits is leaving a window open for someone with the right tools and enough time. This scrape shows you how quickly that window can turn into a firehose of personal data. Until API security becomes a priority across the board, you’ll keep seeing leaks like this repeat on bigger and bigger scales.

Do you think apps should be legally required to enforce strict API limits? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter. 

Copyright 2025 CyberGuy.com.  All rights reserved.