Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Massive Scraping Incident Exposes 3.5 Billion WhatsApp Numbers
Data breaches are becoming a significant concern among major platforms, often linked to weak or unprotected APIs. High-profile incidents have highlighted vulnerabilities on platforms like Facebook, Twitter, and most recently, WhatsApp.
WhatsApp has joined the list of affected services after researchers uncovered the scraping of 3.5 billion phone numbers due to a flaw in the app’s contact discovery system. This breach showcases the app’s potential vulnerabilities, prompting essential discussions about data security measures.
Understanding the Vulnerability
The recent breach stemmed from WhatsApp’s GetDeviceList API, typically used when adding a contact. This endpoint allows WhatsApp to verify whether a number is associated with an account and what devices are linked. However, a lack of adequate rate limiting allowed researchers to bypass protections, facilitating mass data gathering.
Researchers from the University of Vienna and SBA Research initiated tests to explore the extent of the vulnerability. Utilizing merely five authenticated sessions connected to a university server, they began sending repeated queries to WhatsApp’s servers. Contrary to their expectations, WhatsApp did not implement any defensive measures to block their actions.
This oversight enabled them to verify over 100 million phone numbers an hour. By generating a global pool of 63 billion possible mobile numbers, the researchers confirmed that 3.5 billion were active WhatsApp accounts.
Beyond Basic Scraping
The scope of the scraping did not stop at confirming number existence. Researchers also accessed additional WhatsApp endpoints to collect more detailed information. This included profile images, “about” sections, device data, and public keys. A sample run in the United States resulted in the download of 77 million profile photos, many of which depicted identifiable images of users.
Additionally, public entries in the “about” sections sometimes revealed sensitive information or links to other accounts. Notably, they found that 58% of the leaked Facebook numbers remained active on WhatsApp, demonstrating how damaging phone-number leaks can be. They can remain useful to malicious actors long after the initial data breach.
The Research Findings and WhatsApp’s Response
It is crucial to note that the researchers did not publicly disclose the data. They reported the vulnerabilities to WhatsApp, which has since implemented rate-limiting measures to prevent similar occurrences in the future. Nevertheless, the incident exposes how easily malicious actors could have exploited this flaw had they discovered it first.
Lessons from Recent Data Breaches
Weak or nonexistent API rate limits have led to several substantial data leaks in recent years. WhatsApp’s case is not unique. In 2021, attackers exploited Facebook’s “Add Friend” feature, which enabled the uploading of contact lists to match against active accounts. This flaw resulted in the scraping of 533 million profiles, ultimately leading to Meta facing consequences and regulatory penalties.
Similarly, Twitter faced challenges when attackers took advantage of an API bug to connect phone numbers and email addresses to 54 million accounts. Even companies like Dell reported breaches, with 49 million customer records scraped through unprotected API endpoints.
Each of these cases shares a common theme: APIs that permit account lookups or data queries can become prime targets when proper limitations are absent. This opens a gateway for mass data collection, highlighting the need for stricter security measures.
Steps to Mitigate Risks for Users
While it is challenging to prevent a phone number from appearing in a massive scrape, users can take proactive steps to make their information less useful to potential attackers.
Enhance Security with Two-Factor Authentication
First, enabling two-factor authentication on WhatsApp—and other vital accounts—provides added security. Even if someone acquires your phone number, they cannot access your account without the second verification step. This measure is particularly effective against SIM swap attempts, as it requires more than just a password.
Utilize a Password Manager
Adopting a password manager can help ensure that every login is unique. Attackers may attempt to use your scraped number in credential stuffing attacks, so using strong, random passwords can thwart their efforts and secure your accounts.
Check for Email Exposures
Investigate if your email address has appeared in any past data breaches. Many password managers come with built-in breach scanners that reveal whether your information has been compromised. Upon discovering any matches, it is crucial to immediately change your passwords and secure those accounts with new credentials.
Limit Personal Information Exposure
Minimize public information associated with your phone number by opting out of data broker sites when possible. Reducing publicly available data makes it more difficult for attackers to design convincing phishing messages or identity scams.
Educate Yourself on Privacy Settings
Keeping your WhatsApp “about” text generic helps limit personal information exposure. Avoid posting details like job titles, hometowns, or other identifying links. Adjust settings to control who can see your profile photo, last seen, and status to enhance privacy.
Staying Aware and Cautious
Scenarios involving scraped data often lead to increased phishing attempts and malicious campaigns. Utilizing strong antivirus software becomes crucial for blocking malicious links, detecting harmful downloads, and warning about suspicious activities. Ensuring all devices are protected can help safeguard personal information and digital assets.
Be suspicious of unexpected messages and refrain from clicking links or sharing verification codes. Increased spam and impersonation attempts usually follow the scraping of phone numbers, making vigilance essential for maintaining your online security.
WhatsApp may have corrected the immediate issue, but the overall risk of API vulnerabilities continues. Any platform that exposes an API without effective rate limits remains susceptible to similar attacks. The recent incident underscores the urgent need for enhanced API security to prevent future leaks from impacting millions of users.
Your Opinion Matters
Do you believe apps should face legal requirements to enforce strict API limits? Share your thoughts. The ongoing discussion around data privacy and security is critical as technology continues to evolve.
