A large-scale privacy exposure in WhatsApp’s contact-discovery API allowed researchers to enumerate 3.5 billion active accounts worldwide by abusing a lack of rate limiting on the GetDeviceList and related endpoints. By systematically submitting phone numbers to the API from a single university server using only a handful of authenticated sessions, the team was able to check more than 100 million numbers per hour and confirm which ones were linked to WhatsApp, mapping to reconnaissance-style techniques like MITRE ATT&CK T1596 (Search Open Technical Databases) and T1589 (Gather Victim Identity Information). Additional APIs such as GetUserInfo, GetPrekeys and FetchPicture were then leveraged to pull profile photos, "about" texts and metadata, demonstrating how unauthenticated or weakly controlled APIs can be turned into mass data-scraping tools. The researchers generated a global set of 63 billion potential mobile numbers and queried WhatsApp’s infrastructure without being blocked, throttled or contacted by the platform despite obviously automated behavior. Their results provided a detailed snapshot of WhatsApp usage, including around 749 million accounts in India, 235 million in Indonesia, 206 million in Brazil, 138 million in the U.S. and significant numbers in countries where the app was banned, such as China and Iran. In tests with U.S. numbers, the team downloaded 77 million profile photos with no rate limiting, many containing identifiable faces and personal information. When combined with public "about" text, the dataset could be used to connect identities across multiple online services. Although this particular operation was conducted by academic researchers who did not leak the data, the work underscores how similar enumeration flaws enable real-world data breaches. The study found that 58% of phone numbers exposed in the 2021 Facebook scraping incident were still active on WhatsApp in 2025, highlighting the long-term value of phone-based identifiers for threat actors. Scraped datasets like this can fuel targeted phishing, SIM-swapping, OSINT-driven impersonation and automated account takeover attempts across multiple platforms, raising both consumer-privacy concerns and enterprise account-security risk. Meta has since added rate-limiting protections to WhatsApp’s APIs to prevent comparable scraping campaigns, but the incident illustrates a systemic API security problem across major platforms. Previous scraping incidents at Facebook, Twitter and Dell all exploited poorly protected lookup endpoints that allowed high-rate queries without meaningful abuse detection. Organizations should treat contact-discovery and identity-lookup APIs as high-risk surfaces, enforcing strict rate limits, anomaly detection, and abuse monitoring, while also incorporating phone-number exposure risks into identity-proofing, phishing defense and user-awareness programs.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: The WhatsApp API enumeration demonstrates how weakly protected contact-discovery functions can expose billions of user records that become raw material for phishing, fraud and identity attacks. Enterprises whose employees rely on WhatsApp for business communication face increased exposure to targeted social engineering, while regulators may view large-scale scraping of phone numbers and profile data as a privacy incident with GDPR or other data-protection implications. Technical Context: Researchers abused WhatsApp’s GetDeviceList, GetUserInfo, GetPrekeys and FetchPicture endpoints without meaningful rate limiting, enabling them to test 63 billion phone numbers and confirm 3.5 billion active accounts using a small number of authenticated sessions. This behavior maps to MITRE recon techniques like T1596 and T1589, and mirrors earlier scraping incidents involving Facebook and Twitter APIs. Mitigation depends on enforcing strict rate limits, anomaly detection and abuse handling on identity-lookup APIs across platforms.
⚡Strategic Intelligence Guidance
- Treat phone numbers and messaging IDs as high-value identifiers in risk models, updating phishing and social-engineering defenses to account for large-scale WhatsApp and social-media scraping.
- Review internal and customer-facing APIs that perform account or contact discovery, enforcing strict rate limiting, authentication and anomaly detection for high-volume or sequential queries.
- Educate users—especially executives and high-value targets—on the risks of phone-number–based phishing and encourage minimal exposure of sensitive details in profile photos or status texts.
- Incorporate API abuse scenarios into third-party and SaaS risk assessments, ensuring contracts and architecture reviews cover rate limiting, abuse detection and logging obligations for partner platforms.
Threats
Mass data scrapingContact-discovery enumeration
Targets
WhatsApp users worldwidePhone-number–based identities
Impact
Data Volume:3.5 billion enumerated accounts (research dataset)