How 3.5 billion WhatsApp numbers were extracted and exposed

Most major platforms have faced large-scale data breaches related to weak or unprotected APIs. You’ve seen this happen with Facebook, X, and even Dell.

The pattern is always the same. A feature meant to make life easier becomes a gateway for massive data collection.

WhatsApp is now part of that list after researchers managed to extract 3.5 billion phone numbers by exploiting a simple gap in the app’s contact discovery system.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

How researchers mined 3.5 billion WhatsApp numbers

WHATSAPP BANS 6.8 M SCAM ACCOUNTS AND LAUNCHES SECURITY TOOL

As reported by Bleeping Computer, the entire incident started with WhatsApp’s GetDeviceList API. This is the endpoint the app uses when you add a number to your contacts. It tells WhatsApp to check if that number has an account and what devices are linked to it. The problem was that the API had no significant rate limiting. In simple terms, the system did not slow down or block repeat requests, which opened the door to mass enumeration.

Researchers from the University of Vienna and SBA Research decided to see how far they could take this. Using just five authenticated sessions and a single university server, they began bombarding WhatsApp servers with queries. They expected to be blocked quickly, but WhatsApp did not react at all.

Thus they were able to check more than 100 million telephone numbers per hour. After generating a global pool of 63 billion potential mobile numbers, they ran the list through the API and confirmed 3.5 billion active WhatsApp accounts.

Investigators managed to extract more than just phone numbers

Investigators did not simply confirm the existence of the account. They used other WhatsApp endpoints like GetUserInfo, GetPrekeys, and FetchPicture to get more details. This included profile photos, “about” text, device information, and public keys. A test conducted in the United States alone downloaded 77 million profile photos without reaching any limits, many of them with clear images of people’s faces. Public “about” sections often revealed personal information or links to other profiles. Compared to the 2021 Facebook scrape, they found that 58% of leaked Facebook numbers were still active on WhatsApp years later. That’s what makes phone number leaks so damaging. They remain useful to attackers long after the initial breach.

RUSSIAN LAWYERS CLAIM THAT WHATSAPP IS A THREAT TO NATIONAL SECURITY, THEY SHOULD PREPARE TO LEAVE THE COUNTRY

It is important to note that this study was conducted by researchers who have not published the data. They also reported the problem to WhatsApp. The company has since added protections that cap fees to prevent similar abuses from happening again. Still, the findings show how easily threat actors could have done the same thing if they had found the loophole first.

Why this keeps happening on major platforms

Weak or non-existent API rate limits have led to several major data breaches in recent years, and WhatsApp is not the only example. In 2021, attackers abused Facebook’s “Add Friend” feature by uploading contact lists and checking which numbers matched active accounts. The API lacked proper protections, so they removed 533 million profiles. Meta later confirmed that the incident was automated scraping and the Irish DPC fined the company €265 million.

Twitter had a similar problem when attackers used an API bug to match phone numbers and email addresses with 54 million accounts. Dell also reported that 49 million customer records were deleted after attackers exploited an unprotected API endpoint.

All of these cases share the same root cause. APIs that allow account lookups or data queries end up being easy to attack when they don’t limit how often someone can access them. An uncontrolled feature can become a channel for massive data collection.

7 steps you can follow to keep your WhatsApp data safe

If your phone number ends up in one of these massive problems, you can’t get it back, but you can make sure it’s much less useful to anyone trying to attack you. Here are some steps to help you stay safer.

1) Use two-factor authentication

Activate 2FA for WhatsApp and any other important accounts. Even if someone has your number, they can’t get in without that second verification step. It also protects you from SIM swapping attempts, as thieves can’t access your accounts with just a password.

2) Use a password manager

A password manager keeps each login unique. If attackers try to link your extracted number with credential stuffing attacks, reused passwords won’t give them an easy victory. Strong, random passwords disable an entire category of automated attacks.

Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

3) Delete your data from public databases

Opt out of data brokers and people search sites when you can. The less public information attackers can link to your number, the harder it will be for them to craft convincing phishing messages or identity-based scams.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

IS YOUR FRIEND’S PHONE NUMBER COMPROMISED? THIS IS WHAT YOU SHOULD LOOK FOR

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.

4) Limit what you share in profile bios.

Keep WhatsApp “about” text to a minimum. Avoid details like jobs, hometowns, or links to other accounts. Extracted phone numbers are often combined with publicly viewable biographies to create more complete scam profiles.

5) Improve your privacy settings

Adjust who can see your profile photo, the last time they saw it, and their status. Setting them to “Contacts Only” or “Nobody” prevents strangers from learning more personal information once they have your number. To tighten your privacy settings on WhatsApp on iPhone or Android, follow these steps:

• Open WhatsApp on your phone on your phone.
• Gonna Settings: In iPhonetouch the “Settings gear icon at the bottom right. In Androidtouch the three vertical points in the upper right corner and then select “Settings.”
• Tap “Account.”
• Tap “Privacy.”
• Adjust the privacy options below to control who can see your personal information:
• Last seen and online: Tap “Last seen and online” and choose “My contacts” either “Nobody” to restrict who sees your last active status.
• Profile photo: Tap “Profile photo” and select ““My contacts” either “Nobody” to prevent strangers from seeing your profile photo.
• About: Tap “About” and choose “My contacts” either “Nobody” to limit who can see your About information.
• State: Tap “State,” then select “My contacts”, “My contacts except…,” either “Share only with…” to control who can see your status updates.

These changes prevent people who are not in your contacts or strangers from obtaining personal data from your WhatsApp profile, effectively improving your privacy on iPhone or Android devices.

6) Install powerful antivirus software

Many phishing and malware campaigns start with extracted numbers. Powerful antivirus software can block malicious links, detect harmful downloads, and warn you when something looks suspicious.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

7) Be careful with unknown calls and messages

Treat unexpected messages with more suspicion. Don’t click on links, don’t share OTPs, and don’t respond to anyone asking for verification codes. Once the numbers are obtained, scammers increase spam and phishing attempts.

Kurt’s Key Takeaway

WhatsApp may have fixed the problem, but the bigger problem still remains. Any platform that exposes an API without limits d The right speed leaves a window open for someone with the right tools and enough time. This scraping shows you how quickly that window can become a hose of personal data. Until API security becomes a priority across the board, you will continue to see breaches like this repeat on ever-larger scales.

Do you think apps should be legally required to enforce strict API limits? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE News APP

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

Copyright 2025 CyberGuy.com. All rights reserved.