How 3.5B WhatsApp numbers were scraped and exposed

Most large platforms person dealt with large-scale information leaks tied to anemic oregon unprotected APIs. You've seen this play retired with Facebook, X and adjacent Dell.

The signifier is ever the same. A diagnostic meant to marque beingness easier becomes a gateway for bulk information collection.

WhatsApp is present portion of that database aft researchers managed to scrape 3.5 cardinal telephone numbers by exploiting a elemental spread successful the app's contact-discovery system.

Sign up for my FREE CyberGuy Report 
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide — escaped erstwhile you articulation my CYBERGUY.COM newsletter.   

How the researchers scraped 3.5B WhatsApp numbers

WHATSAPP BANS 6.8M SCAM ACCOUNTS, LAUNCHES SAFETY TOOL

Researchers discovered that anemic API limits made it imaginable to scrape billions of WhatsApp numbers. (Getty Images)

As reported by Bleeping Computer, the full incidental started with WhatsApp's GetDeviceList API. This is the endpoint the app uses erstwhile you adhd a fig to your contacts. It tells WhatsApp to cheque if that fig has an relationship and what devices are linked to it. The occupation was that the API had nary meaningful complaint limiting. In elemental terms, the strategy didn't dilatory down oregon artifact repeated requests, which opened the doorway for wide enumeration.

Researchers from the University of Vienna and SBA Research decided to trial however acold they could propulsion this. Using lone 5 authenticated sessions and a azygous assemblage server, they started hammering WhatsApp's servers with queries. They expected to get blocked fast, but WhatsApp didn't respond astatine all.

That's however they were capable to cheque much than 100 cardinal telephone numbers per hour. After generating a planetary excavation of 63 cardinal imaginable mobile numbers, they ran the database done the API and confirmed 3.5 cardinal progressive WhatsApp accounts.

Researchers managed to scrape much than conscionable telephone numbers

The researchers didn't halt astatine confirming relationship existence. They utilized different WhatsApp endpoints similar GetUserInfo, GetPrekeys and FetchPicture to propulsion much details. This included illustration photos, "about" text, instrumentality accusation and nationalist keys. A trial tally successful the United States unsocial downloaded 77 cardinal illustration photos without hitting immoderate limits, galore with wide images of people's faces. Public "about" sections often revealed idiosyncratic info oregon links to different profiles. When compared to Facebook's 2021 scrape, they recovered that 58% of leaked Facebook numbers were inactive progressive connected WhatsApp years later. That's what makes phone-number leaks truthful damaging. They enactment utile to attackers agelong aft the archetypal breach.

RUSSIAN LAWMAKERS CLAIM WHATSAPP IS A NATIONAL SECURITY THREAT, SHOULD PREPARE TO LEAVE THE COUNTRY

It's important to enactment that this survey was done by researchers who haven't released the data. They besides reported the contented to WhatsApp. The institution has since added rate-limiting protections to forestall akin maltreatment from happening again. Still, the findings amusement however easy menace actors could person done the aforesaid happening if they had recovered the loophole first.

Why this keeps happening crossed large platforms

Weak oregon nonexistent API complaint limits person caused respective large information leaks successful caller years, and WhatsApp isn’t the lone example. In 2021, attackers abused Facebook’s "Add Friend" diagnostic by uploading interaction lists and checking which numbers matched progressive accounts. The API lacked due safeguards, truthful they scraped 533 cardinal profiles. Meta aboriginal confirmed the incidental arsenic automated scraping, and the Irish DPC fined the institution €265 million.

Twitter had a akin occupation erstwhile attackers utilized an API bug to lucifer telephone numbers and email addresses to 54 cardinal accounts. Dell besides reported that 49 cardinal lawsuit records were scraped aft attackers took vantage of an unprotected API endpoint.

All of these cases stock the aforesaid basal cause. APIs that let relationship lookups oregon information queries extremity up being casual to onslaught erstwhile they don't bounds however often idiosyncratic tin entree them. One unchecked diagnostic tin crook into a pipeline for wide information collection.

7 steps you tin instrumentality to support your WhatsApp information safe

If your telephone fig ends up successful 1 of these monolithic scrapes, you can't propulsion it back, but you tin marque definite it's acold little utile to anyone trying to people you. Here are a fewer steps that assistance you enactment safer.

1) Use two-factor authentication

Turn connected 2FA for WhatsApp and each different important account. Even if idiosyncratic has your number, they can't interruption successful without that 2nd verification step. It besides protects you from SIM-swap attempts since thieves can't entree your accounts with conscionable a password.

A elemental automated publication pulled telephone information astatine a monolithic standard without triggering alerts. (eyecrave productions/Getty Images)

2) Use a password manager

A password manager keeps each login unique. If attackers effort to brace your scraped fig with credential-stuffing attacks, reused passwords won't springiness them an casual win. Strong, random passwords unopen down a full class of automated attacks.

Next, spot if your email has been exposed successful past breaches. Our No. 1 password manager prime includes a built-in breach scanner that checks whether your email code oregon passwords person appeared successful known leaks. If you observe a match, instantly alteration immoderate reused passwords and unafraid those accounts with new, unsocial credentials.

Check retired the champion expert-reviewed password managers of 2025 astatine Cyberguy.com.

3) Remove your information from nationalist databases

Opt retired of information brokers and people-search sites erstwhile you can. The little nationalist accusation attackers tin necktie to your number, the harder it is for them to trade convincing phishing messages oregon identity-based scams.

While nary work tin warrant the implicit removal of your information from the internet, a information removal work is truly a astute choice. They aren't cheap, and neither is your privacy. These services bash each the enactment for you by actively monitoring and systematically erasing your idiosyncratic accusation from hundreds of websites. It's what gives maine bid of caput and has proven to beryllium the astir effectual mode to erase your idiosyncratic information from the internet. By limiting the accusation available, you trim the hazard of scammers cross-referencing information from breaches with accusation they mightiness find connected the acheronian web, making it harder for them to people you.

IS YOUR FRIEND'S PHONE NUMBER COMPROMISED? HERE'S WHAT TO LOOK FOR

Check retired my apical picks for information removal services and get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web by visiting Cyberguy.com.

Get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web: Cyberguy.com.

4) Limit what you stock successful illustration bios

Keep your WhatsApp "about" substance minimal. Avoid details similar occupation titles, hometowns, oregon links to different accounts. Scraped telephone numbers often get paired with publically disposable bios to physique fuller profiles for scams.

5) Tighten your privateness settings

Adjust who tin spot your illustration photo, last-seen and status. Setting these to "Contacts only" oregon "Nobody" prevents strangers from pulling much idiosyncratic info erstwhile they person your number. To tighten your privateness settings connected WhatsApp connected iPhone oregon Android, travel these steps:

• Open WhatsApp connected your telephone connected your phone.
• Go to Settings: On iPhone, pat the "Settings" cogwheel icon astatine the bottommost right. On Android, pat the 3 vertical dots successful the top-right corner, past prime "Settings."
• Tap "Account."
• Tap "Privacy."
• Adjust the privateness options beneath to power who tin spot your idiosyncratic info:
• Last Seen & Online: Tap "Last Seen & Online" and take "My Contacts" oregon "Nobody" to restrict who sees your past progressive status.
• Profile Photo: Tap "Profile Photo" and prime "My Contacts" oregon "Nobody" to forestall strangers from viewing your illustration picture.
• About: Tap "About" and prime "My Contacts" oregon "Nobody" to bounds who tin spot your About info.
• Status: Tap "Status," past prime "My Contacts," "My Contacts Except...," oregon "Only Share With..." to power who tin presumption your presumption updates.

These changes forestall radical not successful your contacts oregon strangers from pulling idiosyncratic details from your WhatsApp profile, enhancing your privateness efficaciously connected either iPhone oregon Android devices.

Because the strategy lacked due rate-limiting, the scraping continued undetected for months. (Kurt Knutsson)

6) Install beardown antivirus software

A batch of phishing and malware campaigns commencement with scraped numbers. Strong antivirus bundle tin artifact malicious links, observe harmful downloads and pass you erstwhile thing looks suspicious.

The champion mode to safeguard yourself from malicious links that instal malware, perchance accessing your backstage information, is to person beardown antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe.

Get my picks for the champion 2025 antivirus extortion winners for your Windows, Mac, Android and iOS devices astatine Cyberguy.com.

7) Be cautious with chartless calls and messages

Treat unexpected messages with much suspicion. Don't click links, don't stock OTPs, and don't respond to anyone asking for verification codes. Once numbers are scraped, scammers ramp up spam and impersonation attempts.

Kurt's cardinal takeaway

WhatsApp mightiness person fixed the issue, but the bigger occupation is inactive retired there. Any level that exposes an API without due complaint limits is leaving a model unfastened for idiosyncratic with the close tools and capable time. This scrape shows you however rapidly that model tin crook into a firehose of idiosyncratic data. Until API information becomes a precedence crossed the board, you'll support seeing leaks similar this repetition connected bigger and bigger scales.

Do you deliberation apps should beryllium legally required to enforce strict API limits? Let america cognize by penning to america astatine Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report 
Get my champion tech tips, urgent information alerts and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide — escaped erstwhile you articulation my CYBERGUY.COM newsletter. 

Copyright 2025 CyberGuy.com.  All rights reserved.