Researchers scrape 3.5B WhatsApp numbers via API
Security researchers from the University of Vienna and SBA Research exploited weak rate limits in WhatsApp’s GetDeviceList and related APIs to enumerate 3.5 billion active accounts and download profile photos, ‘about’ text, device info and public keys, they told BleepingComputer and Fox News. Using five authenticated sessions on a single university server, they queried over 100 million phone numbers per hour and pulled 77 million U.S. profile images; WhatsApp has since added rate limiting after the issue was disclosed, and the researchers did not release the data.
📌 Key Facts
- Scope: 3.5 billion active WhatsApp accounts confirmed from a 63 billion-number pool
- Throughput: ~100 million numbers checked per hour using five sessions
- U.S. impact: 77 million U.S. profile photos downloaded without hitting limits
- Endpoints: GetDeviceList, GetUserInfo, GetPrekeys, FetchPicture lacked effective rate limits
- Response: WhatsApp added rate-limiting protections after disclosure; researchers did not publish the dataset
📊 Relevant Data
WhatsApp has 3.3 billion monthly active users worldwide as of 2025.
WhatsApp Statistics On Users, Revenue and Messages (2025) — Resourcera
The number of data breaches in the United States increased to more than 3,200 in 2023.
The average cost of a data breach dropped to $4.44 million in 2025.
110+ of the Latest Data Breach Statistics to Know for 2026 & Beyond — Secureframe
Losses from internet crime reported to the FBI's IC3 totaled $16.6 billion in 2024.
2024 IC3 ANNUAL REPORT — Internet Crime Complaint Center