Roger Linn is a legend in the world of musical instruments. He’s been at the cutting edge of music technology for decades. He created the LM-1, the first drum machine to use samples, and its successor, the LinnDrum, is one of the most iconic drum machines of all time. They were used on countless records in the 1980s, including hits by Tom Petty, Queen, and Tears for Fears. But the most notable fan was probably Prince, who used them extensively on Purple Rain and 1999.
Technology
How 3.5B WhatsApp numbers were scraped and exposed
NEWYou can now listen to Fox News articles!
Most major platforms have dealt with large-scale data leaks tied to weak or unprotected APIs. You’ve seen this play out with Facebook, X and even Dell.
The pattern is always the same. A feature meant to make life easier becomes a gateway for bulk data collection.
WhatsApp is now part of that list after researchers managed to scrape 3.5 billion phone numbers by exploiting a simple gap in the app’s contact-discovery system.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
How the researchers scraped 3.5B WhatsApp numbers
WHATSAPP BANS 6.8M SCAM ACCOUNTS, LAUNCHES SAFETY TOOL
Researchers discovered that weak API limits made it possible to scrape billions of WhatsApp numbers. (Getty Images)
As reported by Bleeping Computer, the entire incident started with WhatsApp’s GetDeviceList API. This is the endpoint the app uses when you add a number to your contacts. It tells WhatsApp to check if that number has an account and what devices are linked to it. The problem was that the API had no meaningful rate limiting. In simple terms, the system didn’t slow down or block repeated requests, which opened the door for mass enumeration.
Researchers from the University of Vienna and SBA Research decided to test how far they could push this. Using only five authenticated sessions and a single university server, they started hammering WhatsApp’s servers with queries. They expected to get blocked fast, but WhatsApp didn’t react at all.
That’s how they were able to check more than 100 million phone numbers per hour. After generating a global pool of 63 billion possible mobile numbers, they ran the list through the API and confirmed 3.5 billion active WhatsApp accounts.
Researchers managed to scrape more than just phone numbers
The researchers didn’t stop at confirming account existence. They used other WhatsApp endpoints like GetUserInfo, GetPrekeys and FetchPicture to pull more details. This included profile photos, “about” text, device information and public keys. A test run in the United States alone downloaded 77 million profile photos without hitting any limits, many with clear images of people’s faces. Public “about” sections often revealed personal info or links to other profiles. When compared to Facebook’s 2021 scrape, they found that 58% of leaked Facebook numbers were still active on WhatsApp years later. That’s what makes phone-number leaks so damaging. They stay useful to attackers long after the initial breach.
RUSSIAN LAWMAKERS CLAIM WHATSAPP IS A NATIONAL SECURITY THREAT, SHOULD PREPARE TO LEAVE THE COUNTRY
It’s important to note that this study was done by researchers who haven’t released the data. They also reported the issue to WhatsApp. The company has since added rate-limiting protections to prevent similar abuse from happening again. Still, the findings show how easily threat actors could have done the same thing if they had found the loophole first.
Why this keeps happening across major platforms
Weak or nonexistent API rate limits have caused several major data leaks in recent years, and WhatsApp isn’t the only example. In 2021, attackers abused Facebook’s “Add Friend” feature by uploading contact lists and checking which numbers matched active accounts. The API lacked proper safeguards, so they scraped 533 million profiles. Meta later confirmed the incident as automated scraping, and the Irish DPC fined the company €265 million.
Twitter had a similar problem when attackers used an API bug to match phone numbers and email addresses to 54 million accounts. Dell also reported that 49 million customer records were scraped after attackers took advantage of an unprotected API endpoint.
All of these cases share the same root cause. APIs that allow account lookups or data queries end up being easy to attack when they don’t limit how often someone can access them. One unchecked feature can turn into a pipeline for mass data collection.
7 steps you can take to keep your WhatsApp data safe
If your phone number ends up in one of these massive scrapes, you can’t pull it back, but you can make sure it’s far less useful to anyone trying to target you. Here are a few steps that help you stay safer.
1) Use two-factor authentication
Turn on 2FA for WhatsApp and every other important account. Even if someone has your number, they can’t break in without that second verification step. It also protects you from SIM-swap attempts since thieves can’t access your accounts with just a password.
A simple automated script pulled phone data at a massive scale without triggering alerts. (eyecrave productions/Getty Images)
2) Use a password manager
A password manager keeps every login unique. If attackers try to pair your scraped number with credential-stuffing attacks, reused passwords won’t give them an easy win. Strong, random passwords shut down a whole category of automated attacks.
Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.
3) Remove your data from public databases
Opt out of data brokers and people-search sites when you can. The less public information attackers can tie to your number, the harder it is for them to craft convincing phishing messages or identity-based scams.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
IS YOUR FRIEND’S PHONE NUMBER COMPROMISED? HERE’S WHAT TO LOOK FOR
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.
4) Limit what you share in profile bios
Keep your WhatsApp “about” text minimal. Avoid details like job titles, hometowns, or links to other accounts. Scraped phone numbers often get paired with publicly visible bios to build fuller profiles for scams.
5) Tighten your privacy settings
Adjust who can see your profile photo, last-seen and status. Setting these to “Contacts only” or “Nobody” prevents strangers from pulling more personal info once they have your number. To tighten your privacy settings on WhatsApp on iPhone or Android, follow these steps:
- Open WhatsApp on your phone on your phone.
- Go to Settings: On iPhone, tap the “Settings” gear icon at the bottom right. On Android, tap the three vertical dots in the top-right corner, then select “Settings.”
- Tap “Account.”
- Tap “Privacy.”
- Adjust the privacy options below to control who can see your personal info:
- Last Seen & Online: Tap “Last Seen & Online” and choose “My Contacts” or “Nobody” to restrict who sees your last active status.
- Profile Photo: Tap “Profile Photo” and select “My Contacts” or “Nobody” to prevent strangers from viewing your profile picture.
- About: Tap “About” and pick “My Contacts” or “Nobody” to limit who can see your About info.
- Status: Tap “Status,” then select “My Contacts,” “My Contacts Except…,” or “Only Share With…” to control who can view your status updates.
These changes prevent people not in your contacts or strangers from pulling personal details from your WhatsApp profile, enhancing your privacy effectively on either iPhone or Android devices.
Because the system lacked proper rate-limiting, the scraping continued undetected for months. (Kurt Knutsson)
6) Install strong antivirus software
A lot of phishing and malware campaigns start with scraped numbers. Strong antivirus software can block malicious links, detect harmful downloads and warn you when something looks suspicious.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.
7) Be cautious with unknown calls and messages
Treat unexpected messages with more suspicion. Don’t click links, don’t share OTPs, and don’t respond to anyone asking for verification codes. Once numbers are scraped, scammers ramp up spam and impersonation attempts.
Kurt’s key takeaway
WhatsApp might have fixed the issue, but the bigger problem is still out there. Any platform that exposes an API without proper rate limits is leaving a window open for someone with the right tools and enough time. This scrape shows you how quickly that window can turn into a firehose of personal data. Until API security becomes a priority across the board, you’ll keep seeing leaks like this repeat on bigger and bigger scales.
Do you think apps should be legally required to enforce strict API limits? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide — free when you join my CYBERGUY.COM newsletter.
Copyright 2025 CyberGuy.com. All rights reserved.
Somehow, those are not his greatest contributions to the music world. That would, undoubtedly, be the MPC. Linn partnered with Akai to create one of the most popular and important samplers ever. The MPC60 and its successors became the tool of choice for countless hip-hop and house producers. J Dilla’s MPC 3000 even sits in the Smithsonian.
Roger Linn was also an early adopter of MPE, or MIDI polyphonic expression. It’s a key feature of his LinnStrument, an expressive 3D controller released in 2014 — three years before the Association of Musical Electronics Industry (AMEI) officially released the MPE standard. Turns out the man stays so innovative by keeping things simple and focused.
What is your most indispensable tool?
My MacBook Pro.
Which is the most underappreciated?
My Vision Pro. I called it the most amazing product I rarely use.
What is the first app you install on a new phone or computer?
On a computer, Rhino3D.
What is one thing you wish you could change about your phone?
Apple Mail’s bugs.
What sites do you have pinned to your tab bar?
New York Times.
How many tabs do you have open right now?
One. This document.
Which social media platform do you use the most (if any)?
I don’t use social media except to announce my monthly “All Things LinnStrument” email newsletter.
What is your happy place online?
A VR app for the Meta Quest called Walkabout Mini Golf. It was a large number of artistically created open VR worlds that offer a surprising level of beauty from the Quest 3’s limited power. I go there to play a game of mini golf, fly around, or meet friends in a private instance of a particular world.
What is your favorite gadget you’ve ever owned?
I don’t know about “ever”, but these days it’s VR headsets, currently the Meta Quest 3 or Apple Vision Pro.
Which was the most disappointing?
In general, I’m disappointed by products that are designed by engineers who assume their customers are engineers.
What game do you have the fondest memories of?
Myst.
Which tech trend do you wish would go away?
Spam.
What creation are you most proud of?
LinnStrument.
What’s the best piece of advice you’ve ever received?
Keep it simple.
What is your current obsession?
VR.
What do you do when you need to focus?
Breathe. Calm down.
What do you do when you’re feeling stuck?
I try to shift my perspective.
When was the last time you went somewhere without your phone?
I never go anywhere without my phone. Maybe swimming.
What’s the last piece of physical media you bought?
That would be a long time ago. I’ve only bought books, music, films, etc. in digital form for a long time.
What do you think is worth splurging on?
If someone made a VR headset with retina resolution, very high power, lots of beautiful open worlds, but it was expensive, I’d probably buy it.
What would the tagline for your biopic be?
“He created tools that allowed musicians to make better music.”
What’s the last GIF or meme you used?
This isn’t a GIF, but maybe it’s a meme:
( ͡° ͜ʖ ͡°)
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
NEWYou can now listen to Fox News articles!
A robot mower sounds like the kind of yard tool that should make life easier. It cuts the grass, saves you time and quietly handles a chore most people would rather avoid.
But a new independent security report raises a bigger concern about what may be happening behind the scenes. Security researcher Andreas Makris says Yarbo robots, which include autonomous lawn mowers and snow blowers, contained serious flaws that could expose owners to remote access, live camera viewing and Wi-Fi credential theft. The report says roughly 6,000 robots are currently affected.
Yarbo has since responded through its Security Center, saying the core technical findings are accurate and that it has started rolling out security fixes. Still, the report raises important questions about how much access smart yard devices should have inside your home network.
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
SMART HOME HACKING FEARS: WHAT’S REAL AND WHAT’S HYPE
A robot mower connected to home Wi-Fi can create security risks if remote access controls are weak or unclear. (Yarbo)
Yarbo robot security risk: What the report claims
Makris says Yarbo robots ship with a persistent remote access setup that uses a tunnel to reach the robot over the internet. According to the report, the robots also include a hardcoded root password shared across the fleet and a remote connection method tied to the robot’s serial number. That is important because “root” access gives someone deep control over the device. In simple terms, it can mean administrator-level access to the system inside the robot. The report also says the remote tunnel runs automatically, can restart itself if stopped and may return if removed. That raises a major concern for owners because they may not have a simple switch in the app to shut it off.
Why a robot mower could put your home network at risk
Smart devices often need internet access to work. App controls, software updates, diagnostics and support all depend on that connection. However, Makris claims Yarbo’s setup creates a much riskier situation. He says remote access appears to be built into every robot, rather than turned on only when an owner asks for help. The report says an attacker with the right information could potentially reach a robot remotely, access internal functions and use it as a foothold on the owner’s network. So while a robot mower may seem harmless as it cuts grass, rolls through the yard or parks near the garage, that same machine can also connect to your Wi-Fi, carry cameras and sit close to your home every day.
5 WORRISOME PRIVACY CLAUSES HIDDEN IN SMART HOME DEVICES
The Yarbo report raises concerns about remote access, live camera feeds and saved Wi-Fi credentials on connected yard robots. (Yarbo)
Yarbo camera access concerns for homeowners
According to the report, Yarbo robots can have multiple camera feeds. Makris says that if someone gained root access through the remote tunnel, they could potentially view the robot’s surroundings remotely. That could include a driveway, backyard, entryway, garage area or outdoor space where your family spends time. For homeowners, this concern goes beyond a glitch. A camera-equipped device outside your home deserves the same scrutiny as a camera inside your home.
How saved Wi-Fi passwords could be exposed
The report also says an attacker with root access could retrieve saved Wi-Fi credentials from the robot’s system. That would be a serious issue because many homes use one main Wi-Fi network for phones, laptops, tablets, smart TVs, security devices and more. Once someone has your Wi-Fi password, the risk can spread. They may try to reach other connected devices or look for weak spots that were never meant to face the internet. This is why connected outdoor equipment should never get a free pass. A lawn robot may be housed outside or in the garage, but its network access can reach inside.
What Yarbo says now
After Makris published his report, Yarbo posted a response to its Security Center page on its website. The company said the report identified serious vulnerabilities in its remote diagnostic, credential management and data-handling systems. Yarbo co-founder Kenneth Kohlmann also said the “core technical findings are accurate” and acknowledged that the company’s initial response did not reflect the seriousness of the issues.
Yarbo says the problems primarily involved historical design choices in parts of its remote diagnostic, access management and data-handling systems. The company also said some legacy support tools did not give users enough visibility or control. Yarbo said some authentication and credential systems did not meet its current security expectations.
A NEW SECURITY SEAL OF APPROVAL IS COMING TO YOUR SMART HOME GADGETS
Security experts recommend keeping smart yard devices on a guest network instead of your main home Wi-Fi. (Yarbo)
What Yarbo says it has fixed
Yarbo says it has taken several remediation steps since the report was published. According to the company, it has retired historical fleet-level root credentials, revoked shared FRP remote-access credentials and disabled related FRP server-side connection paths.
The company also says updated versions of the Yarbo mobile app no longer contain static credentials or embedded access mechanisms capable of directly authenticating against backend services. Yarbo says it has removed reporting scripts, legacy dependencies and non-essential network configurations that no longer served a necessary product function.
However, Yarbo says more work remains. The company says it is rebuilding its credential management system so any remaining shared-credential models can be replaced with individually scoped, per-device credentials. Each credential would support independent rotation and revocation.
Why Yarbo data connections raise privacy questions
The report also points to connections involving Hanyangtech, Yarbo’s Shenzhen-based parent company, along with ByteDance Feishu, Tencent TDMQ and Chinese DNS resolvers. Makris says some robot telemetry can be sent to ByteDance’s Feishu platform and that certain infrastructure choices are built into the firmware.
Yarbo now says it has removed reporting scripts, legacy dependencies and non-essential network configurations that no longer served a necessary operational or product function. The company also says historical servers and legacy access channels will continue to be phased out as part of its remediation work.
The core issue is transparency. Owners should know where their devices send data, which companies can access it and whether those connections are essential for normal use. That level of clarity matters even more for devices with cameras, location data and access to home networks.
What this means for you
If you own a Yarbo robot, this report means you should treat it like any other connected device with cameras, location data and access to your home Wi-Fi. Yarbo says it is pushing security updates automatically to connected devices. That means owners should connect their Yarbo long enough to receive the latest security update. After that, consider moving it back to a guest network or an isolated smart-device network.
CyberGuy reached out to Yarbo, and a representative said the company encouraged readers to refer to the Security Center at yarbo.com/pages/yarbo-security-center for the latest verified information and ongoing updates.
How Yarbo owners can reduce the risk
You may not be able to control everything happening inside the robot, but you can take a few practical steps to limit what it can reach on your home network.
1) Put the robot on a guest network
Do not keep your robot mower on the same network as your laptop, phone or security cameras. Use a guest network or a separate smart-device network if your router supports it.
2) Change your main Wi-Fi password if you are concerned
If your robot has connected to your main Wi-Fi and you are worried about exposure, change the Wi-Fi password. Use a strong, unique password and store it in a trusted password manager so you do not have to reuse or remember it. Then reconnect only trusted devices. Check out the best expert-reviewed password managers of 2026 at Cyberguy.com
3) Check your router for unknown devices
Open your router app or admin page and review connected devices. Look for anything unfamiliar. Remove devices you do not recognize.
4) Limit what the robot can access
Some routers let you isolate guest devices. Turn that on when available. This can keep the robot from seeing other devices on your network.
5) Ask Yarbo for specific answers
Owners should ask what remote diagnostic access remains, whether credentials are now unique per robot and whether the company will provide a true off switch for remote diagnostics.
6) Keep the robot updated, but stay cautious
Yarbo says security updates are delivered automatically once devices connect to the internet. Connect the robot through a guest network or an isolated smart-device network so it can receive the latest update without giving it access to your main devices.
Join CyberGuy Live: Lock Down Your Phone in 30 Minutes (Saturday, June 13, 10 am ET)
Your phone holds your email, passwords, photos, banking apps and personal data. In this free, live online class, Kurt the CyberGuy will walk you step by step through simple phone security fixes you can do in real time. You’ll learn how to improve your privacy settings, spot the latest phone scams, use trusted security tools and walk away with a simple checklist to stay protected. Register here: CyberGuyLive.com
Kurt’s key takeaways
The Yarbo report is a reminder that convenience can come with hidden access. A robot mower may seem like a helpful yard tool, but under the hood, it can act like a connected computer with cameras, location data and a path into your network. The biggest concern is control. Owners need to know who can reach their devices, when remote access turns on and whether they can shut it off. A company should not expect you to trust a black box sitting on your Wi-Fi. If you own one of these robots, isolate it from your main network and push Yarbo for clear answers. If you are shopping for any smart yard device, ask about security before you ask about battery life.
Would you let a smart yard robot onto your Wi-Fi if the company could not clearly explain who can access it and when? Let us know by writing to us at Cyberguy.com
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
Copyright 2026 CyberGuy.com. All rights reserved.
Google’s AI Overviews are running into an interesting problem right now. Earlier on Friday, if you searched for the term “disregard,” the AI Overview section would include a response like what you’d see from a more traditional AI chatbot instead of the typical AI summary, as spotted on X. As you can see in the image at the top of this story, I got an AI Overview response that said, “Got it. If you need anything else or have a new question later, just let me know!”
As of Friday afternoon, however, Google isn’t showing an AI Overview for the term “disregard” at all — instead, it shows a list of news stories about the issue first. Google hasn’t replied to our requests for comment. In a statement to Android Authority, a spokesperson said that “We’re aware that AI Overviews are misinterpreting some action-related queries, and we’re working on a fix, which will roll out soon.”
AI Overviews haven’t just been tripping up over the word “disregard.” When searching for “ignore,” Google’s AI Overview section showed the following message to a Verge colleague:
Message received! I’m here and ready to help. What would you like to focus on today? Just let me know if there’s a specific topic, task, or question you’d like to explore.
When they searched “skip,” the AI Overview section said:
It looks like your message was just a test or a typo! Feel free to ask a question, share a prompt, or let me know how I can help you with your tasks today. I’m ready whenever you are!
As of Friday afternoon, Google is still showing me AI Overviews with broken responses when I search for “ignore” and “skip.”
As funny as this all is, it’s almost certainly just some kind of bug — I expect Google will fix it soon enough. Maybe Google Search itself is tired after everything that happened at Google I/O.
Updates, May 22nd: Google now isn’t showing AI Overviews for “disregard.” Also added a Google statement.
-
Michigan4 minutes agoFormer border officer from Michigan sentenced for distribution of child pornography
-
Massachusetts10 minutes agoCeltics Heavily Tied To Legendary Massachusetts-Born UConn Prospect | NESN
-
Minnesota15 minutes agoReal Salt Lake settles for a draw as Minnesota United scores in stoppage time
-
Mississippi22 minutes agoGame Time Set for Oklahoma and Mississippi State’s Super Regional Finale
-
Missouri28 minutes agoKansas City, Missouri, man indicted in 2024 fatal crash
-
Montana34 minutes agoMontana Fishing Reports May 23rd
-
Nebraska40 minutes ago
Nebraska softball beats Oklahoma State in NCAA Super Regional; Heads to Women’s College World Series
-
Nevada46 minutes agoThe early voting blog, Primary 2026 – The Nevada Independent
