WhatsApp’s 2024 API Flaw: 3.5 Billion Accounts Exposed via Automated Scraping
Executive Summary
In early 2024, a significant data exposure incident affected WhatsApp when researchers discovered and exploited a vulnerability in the platform's contact-discovery API. The API lacked effective rate limiting and permitted mass enumeration of registered user accounts by automating queries, enabling adversaries to harvest data on approximately 3.5 billion mobile phone numbers and associated details. No evidence suggests the involvement of a deliberate threat actor beyond security researchers, but the scale and scope highlight serious privacy and operational risks for both users and WhatsApp’s business integrity. The incident underscores ongoing risks for messaging applications leveraging public-facing APIs without stringent access and abuse controls.
This breach is highly relevant as API abuse and large-scale account enumeration techniques are increasingly exploited by attackers seeking personal data. Regulatory scrutiny is poised to intensify, and similar flaws are being reported across numerous communications platforms, making robust API security and anomaly detection critical in today’s threat landscape.
Why This Matters Now
API vulnerabilities enabling unrestricted data scraping present urgent privacy and regulatory challenges, especially as attackers rapidly automate such exploits. The sheer scale—billions of accounts—demonstrates that overlooked API rate limits can trigger mass exposure, legal risks, and reputational harm for digital services.
Attack Path Analysis
Attackers discovered and abused an API lacking sufficient rate limiting to harvest personal information at scale. No privilege escalation was necessary, as the API was accessible without elevated permissions. The adversaries repeatedly invoked the exposed endpoint, automating queries across large datasets, moving laterally by querying variations of contact information. Command and control was maintained through scripted API calls, and the exfiltration occurred as harvested data was continually extracted to attacker-controlled systems. The resultant impact was an unprecedented leak of 3.5 billion user records, exposing sensitive personal information.
Kill Chain Progression
Initial Compromise
Description
Attackers identified and exploited an API endpoint with weak access controls and no rate limiting, enabling automated interaction.
Related CVEs
CVE-2025-55177
CVSS 5.4Incomplete authorization in WhatsApp's linked device synchronization feature allows an attacker to trigger processing of content from arbitrary URLs on a target's device.
Affected Products:
Meta Platforms WhatsApp for iOS – < 2.25.21.73
Meta Platforms WhatsApp Business for iOS – < 2.25.21.78
Meta Platforms WhatsApp for Mac – < 2.25.21.78
Exploit Status:
exploited in the wildCVE-2024-45607
CVSS 5.8whatsapp-api-js fails to validate message signatures, allowing unauthorized message handling.
Affected Products:
Secreto31126 whatsapp-api-js – 4.0.0 - 4.0.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Automated Collection
File and Directory Discovery
Web Protocols
Data from Information Repositories
Data from Local System
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit repeated access attempts
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT risk management framework
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Continuous Authentication and Authorization
Control ID: Identity and Access Management – Pillar 2.2
NIS2 Directive – Technical and organisational measures
Control ID: Annex I, Article 21
GDPR – Security of processing
Control ID: Art. 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Direct exposure to WhatsApp API vulnerability exploitation affecting 3.5 billion accounts requires enhanced egress security and threat detection for messaging infrastructure protection.
Financial Services
API vulnerability exploitation risks customer data exposure requiring zero trust segmentation and multicloud visibility to protect sensitive financial communications and transactions.
Health Care / Life Sciences
WhatsApp contact discovery flaw threatens HIPAA compliance through potential patient data exposure, demanding encrypted traffic and anomaly detection capabilities implementation.
Government Administration
Massive contact scraping vulnerability poses national security risks requiring immediate east-west traffic security and inline IPS deployment for government communications.
Sources
- WhatsApp API flaw let researchers scrape 3.5 billion accountshttps://www.bleepingcomputer.com/news/security/whatsapp-api-flaw-let-researchers-scrape-35-billion-accounts/Verified
- CVE-2025-55177: WhatsApp vulnerability analysis and mitigationhttps://www.wiz.io/vulnerability-database/cve/cve-2025-55177Verified
- CISA Warns WhatsApp 0-Day Vulnerability Exploited in Attackshttps://cyberpress.org/whatsapp-0-day-vulnerability/Verified
- Advisory 98: CVE-2025-55177 - Meta Platforms WhatsApp incorrect Authorization Vulnerabilityhttps://cert.gov.vu/images/publications/Advisory_98.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, centralized API policy enforcement, and anomaly-based detection would have restricted unauthorized mass harvesting through strict access controls, real-time anomaly alerts, and containment of excessive or anomalous API usage. Advanced egress controls and visibility across the environment would have quickly surfaced and blocked data exfiltration attempts at scale.
Control: Zero Trust Segmentation
Mitigation: Unauthorized or mass API access would be restricted to trusted identities and segments.
Control: Multicloud Visibility & Control
Mitigation: Unusual permission usage and API requests would be monitored and alerted.
Control: East-West Traffic Security
Mitigation: Lateral movement through unrestricted API enumeration would be identified and contained.
Control: Threat Detection & Anomaly Response
Mitigation: Automated or anomalous API communication patterns generate high-fidelity alerts.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data exfiltration flows would be blocked or throttled at network or application perimeter.
Autonomous enforcement and real-time inspection would halt or limit the scale of unauthorized data access.
Impact at a Glance
Affected Business Functions
- User Communication
- Customer Support
Estimated downtime: 3 days
Estimated loss: $5,000,000
Potential exposure of user phone numbers, profile photos, and 'About' information due to API abuse.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to restrict API access exclusively to verified and least-privileged identities.
- • Deploy centralized, real-time monitoring for all cloud APIs to detect high-velocity or abnormal access patterns.
- • Implement egress controls and outbound policy enforcement to prevent large-scale data exfiltration from APIs.
- • Enable anomaly detection to rapidly surface and automatically respond to scraping or brute-force activity.
- • Regularly audit cloud network and application security posture for exposed endpoints, missing rate limiting, and least-privilege violations.
