Researchers have revealed how they were able to gather a massive list of 3.5 billion WhatsApp phone numbers and personal details by exploiting a WhatsApp API that did not have proper rate limiting.
This means the system did not restrict how many requests could be made in a short time, allowing them to check millions of numbers quickly without being blocked. WhatsApp added rate limits only after the issue was reported.
The team from the University of Vienna and SBA Research used WhatsApp’s contact discovery feature, which checks whether a phone number is linked to an account and what devices are used. Because there were no strict limits in place, they were able to send more than 100 million queries per hour from a single university server using just five authenticated sessions. They expected WhatsApp to detect the activity, but the platform never blocked them or slowed their requests.
After generating 63 billion possible mobile numbers worldwide, they discovered that 3.5 billion were active WhatsApp accounts. The data offered a rare look at global WhatsApp usage, showing the countries with the highest number of users. India had the largest share with 749 million accounts, followed by Indonesia, Brazil, the United States, Russia, and Mexico. Surprisingly, millions of users were also found in countries where WhatsApp was banned at the time, including China, Iran, North Korea, and Myanmar.
The researchers did more than just check which numbers were active. Using additional WhatsApp APIs, they were able to fetch profile photos, public “about” text, and details about linked devices. In one test involving US numbers, they downloaded 77 million profile photos without any restrictions, many of which contained identifiable faces. Public “about” information often reveals personal details or links to other social profiles.
They also compared their findings to the 2021 Facebook phone-number scrape and found that 58 percent of those leaked numbers were still active on WhatsApp in 2025. The researchers warned that leaked phone numbers remain valuable for malicious activities for many years, which is why large-scale scraping is so dangerous.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
They noted that if this dataset had been published, it would have been one of the largest leaks in history, containing highly sensitive information such as phone numbers, timestamps, profile photos, and even public encryption keys.
