WhatsApp API Flaw Exposes 3.5 Billion Phone Numbers Worldwide

A WhatsApp API design flaw exposed over 3.5 billion phone numbers, creating a massive global privacy risk. The issue stems from the platform’s contact discovery and lookup endpoints, which allow enumeration at scale. Although not associated with a specific CVE, the vulnerability aligns with MITRE T1596 (Gather Victim Identity Information) and T1526 (Cloud Service Discovery). Attackers could automate queries to map real phone numbers to WhatsApp accounts across regions. The flaw occurs because WhatsApp’s public-facing API does not include adequate rate-limiting or behavioral anomaly detection to prevent large-scale enumeration attacks. Researchers identified that attackers used cloud infrastructure to send millions of probing requests per hour, generating a comprehensive database of users. The exposure risk is amplified given that WhatsApp accounts are frequently tied to identity data, financial services, and authentication flows. From a business and societal perspective, the exposure could lead to phishing, impersonation, SIM-swap initiation, fraud, and large-scale surveillance. Regulatory exposure includes GDPR, CCPA, and telecom privacy laws. Organizations using WhatsApp for customer communication face increased risk from business email compromise-style attacks using phone-based vectors. Mitigation includes limiting WhatsApp usage for authentication workflows, applying strict telecom fraud protections, and enabling number privacy settings where available. Enterprises should monitor for targeted phishing that may leverage newly enumerated numbers and advise staff to disable public profile visibility.