WhatsApp API Flaw Enables Scraping of 3.5 Billion Accounts

Researchers exploit missing rate limiting in WhatsApp contact discovery API to scrape user data from billions of active accounts worldwide

Key Takeaways

• 3.5 billion WhatsApp accounts scraped by researchers exploiting an API vulnerability without rate limiting, using just one university server and five authenticated sessions to process 63 billion potential mobile numbers.
• Rate limiting introduced in October 2025 after researchers reported the flaw in April, though Meta maintains no private messages or non-public data were accessed during the research.
• Insurance premiums spike 40-150% for organizations using WhatsApp, as cyber insurers reassess coverage following the exposure of 315 million business accounts in the dataset.

Introduction

Researchers have compiled a massive database of 3.5 billion WhatsApp mobile phone numbers and related personal information by exploiting a contact-discovery API that did not have rate limiting. This vulnerability allowed the extraction of data at a significant scale.

The WhatsApp API vulnerability that enabled researchers to scrape data from 3.5 billion accounts marks a significant event for the tech industry, with wide-ranging business, financial, and strategic implications. The incident highlights persistent weaknesses in API security, regulatory exposure, and the evolving risk landscape for messaging platforms and their parent companies.

Key Developments

The researchers, from the University of Vienna and SBA Research, leveraged WhatsApp’s GetDeviceList API endpoint to perform their investigation. This feature lets users check if a phone number is associated with a WhatsApp account. The absence of rate limiting enabled them to process over 100 million numbers per hour, undetected by WhatsApp’s monitoring systems.

The operation utilized only a single university server and five authenticated sessions to examine 63 billion potential mobile numbers. The study was conducted using modified open source clients that queried WhatsApp infrastructure directly rather than through official applications. The result was identifying 3.5 billion active WhatsApp accounts, presenting a global overview of WhatsApp’s usage.

The research team promptly reported the issue to WhatsApp in April 2025, and rate-limiting controls were introduced in October. Although Meta acknowledged the issue, stating that no private messages or non-public data were accessed, the researchers emphasized that the lack of technical barriers suggested similar collection efforts could have occurred undetected.

Beyond confirming the existence of WhatsApp accounts, the researchers accessed additional user information through other API endpoints. They retrieved data such as profile photos, “about” text, device details, business tags, and public-facing encryption keys, without encountering any rate limitations. The researchers retrieved profile photos for 57 percent of users and “About” information for 29 percent.

Market Impact

India emerged as the leading nation with 749 million accounts, followed by Indonesia and Brazil with 235 million and 206 million accounts, respectively. The study also identified active users in countries where WhatsApp is officially banned, such as China with 2.3 million accounts, Iran, Myanmar with 1.6 million accounts, and North Korea.

The breach exposed 315 million business accounts, representing 9 percent of those scraped, raising significant enterprise risk concerns. Cyber insurers are reacting by hiking premiums for organizations using WhatsApp by 40 to 150 percent, reducing coverage, or excluding WhatsApp-related incidents altogether.

The direct costs of such a breach can range from $180,000 to $27 million per affected organization, depending on the size and exposure. Regulatory fines pose additional financial risk: under GDPR, penalties can reach up to €20 million or 4 percent of global annual turnover for security failures.

Strategic Insights

The breach demonstrates that even mature platforms with billions of users can be compromised by relatively simple flaws in API design. This incident underlines the critical need for robust API security as a core part of product development and risk management strategies.

Meta, WhatsApp’s parent company, has already faced penalties—such as a €265 million fine by the Irish Data Protection Commission—and faces further scrutiny in the EU and other jurisdictions. Regulators in the EU, India, and elsewhere are using the incident to push for stricter compliance and transparency.

The breach exposed the risks of relying on consumer messaging apps like WhatsApp for enterprise communications. Business leaders are reassessing the viability of WhatsApp for commercial use, potentially accelerating demand for secure enterprise messaging solutions with stronger security controls.

This incident mirrors broader issues across platforms regarding API vulnerabilities. In 2021, a bug in Facebook’s “Add Friend” feature enabled scrapers to compile data on 533 million users. Similarly, an API flaw on Twitter led to the exposure of 54 million account details.

Expert Opinions and Data

In a statement, Nitin Gupta, VP of Engineering at WhatsApp, said, “We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information.”

Gupta emphasized that the researchers have securely deleted the data collected as part of the study, and Meta has found no evidence of malicious actors abusing this vector. He noted that user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption.

According to The Register, security experts view this as a critical failure of basic API hygiene. The lack of rate limiting is widely seen as an avoidable flaw, particularly for a platform of WhatsApp’s scale. The reuse of encryption keys across accounts further undermines trust in the platform’s security model.

Data visibility varied by country and user preferences. In India, 62 percent of accounts showed profile photos, while Brazil had a similar rate at 61 percent. In the United States, 44 percent of users displayed photos and 33 percent included visible “About” texts.

A notable comparison was made with the 2021 Facebook scrape, finding that 58 percent of those phone numbers were still active on WhatsApp. Millions of encryption keys were reused across different accounts, despite expectations that each key should be unique, with some consisting entirely of zeroes due to flawed implementations by third-party clients.

Conclusion

The tech industry faces a shift toward stricter API security standards, increased regulatory intervention, and heightened scrutiny of data sharing practices. Meta has implemented new rate limits and credited researchers for responsible disclosure, though experts argue that public key reuse and metadata exposure still pose significant risks.

The incident represents the largest scrape in messaging platform history and serves as a critical reminder that API vulnerabilities remain a fundamental business risk. Organizations now confront higher insurance costs, potential regulatory penalties, and the need to reassess their communication platforms for both consumer and enterprise use.