21.11.2025
2 min
486
Researchers compiled a database of 3.5 billion WhatsApp accounts by exploiting a contact-discovery API that lacked any form of rate limiting. While WhatsApp has since patched the issue, the incident highlights how easily threat actors can scrape massive datasets from poorly protected public APIs.
A research team from the University of Vienna and SBA Research abused WhatsApp’s GetDeviceList API, designed to check whether a phone number is associated with an account. The flaw: no rate limits, no throttling, no account bans, no IP restrictions — even when one server sent over 100 million requests per hour. Researchers generated 63 billion possible phone numbers and queried all of them, receiving a global dataset of 3.5 billion active WhatsApp accounts.
Using additional WhatsApp APIs, they collected:
profile pictures,
public “About” text,
E2EE public keys,
metadata about linked devices.
A test run of U.S. phone numbers alone yielded 77 million profile photos — many showing identifiable faces.
The dataset also mapped global WhatsApp usage, showing:
749M users in India,
235M in Indonesia,
206M in Brazil,and millions in countries where WhatsApp was banned, including China, Iran, and North Korea.
API scraping has driven some of the biggest data leaks in history:
Facebook (533M phone numbers in 2021)
Twitter (54M accounts leaked via API)
Dell (49M customer records pulled from an unprotected endpoint)
All share the same problem: account-lookup APIs with no rate limiting. Such APIs don’t need to be “hacked” — they simply answer too many questions too quickly.
While WhatsApp implemented rate limits after disclosure, the findings underscore a broader industry problem: any public API without limits can enable global-scale data leaks. Threat actors can compile billions of records without breaching a single server — simply by harvesting unprotected endpoints.
