WhatsApp API Could Bulk Leak User Telephone Numbers

Researchers Were Able to Query 3.5 Billion Accounts Greg Sirico • November 21, 2025

Security researchers were able to scoop up the telephone numbers of billions of WhatsApp users through an enumeration tool provided by app owner Meta.

See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense

None of the data researchers at the University of Vienna swiped by reverse-engineering a WhatsApp API was strictly private, and they didn't break the encryption protecting message text from third parties. They obtained telephone numbers used to register WhatsApp accounts, and in most cases, additional data such as a profile picture, user-inputted "about" text and the public keys used by WhatsApp to asymmetrically encrypt communications.

But "while most data points may seem harmless, especially in isolation, their large-scale aggregation can provide meaningful and potentially revealing insights," the researchers wrote in a paper. The sheer quantity of leaked ...