SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers
India

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Realistic smartphone broken shield leaked data privacy vulnerability asia map
#
Encryption
#
PAM
#
Advanced Persistent Threat Protection

WhatsApp API flaw exposes 3.5 billion users to major privacy risk

Fri, 28th Nov 2025
Author image
By Catherine Knowles, Journalist

Researchers have identified a data exposure incident affecting WhatsApp's contact discovery system, allowing access to 3.5 billion active accounts globally. This includes 749 million accounts in India and 235 million in Indonesia. The incident draws attention to vulnerabilities found in the application programming interfaces (APIs) that underpin communication platforms used by billions.

Exposure revealed

The research outlined how WhatsApp's contact discovery API was targeted. Attackers abused the absence of rate-limiting measures to enumerate accounts, accessing information like phone numbers, profile photos, user description texts, and device metadata. The affected accounts included a significant portion of users in markets where WhatsApp has some of the highest adoption figures, with public data showing 92% penetration in Malaysia, 91% in Indonesia, and 82% in Singapore.

The security gaps in widely-used systems illustrate potential for privacy breaches and broader cyber risks. Meta, the owner of WhatsApp, has since enforced measures to restrict similar actions through the API.

Risks to users

The compromised API provided attackers with access to both personal identifiers and profile details, many of which users may not expect to be publicly available. Given WhatsApp's prevalence in Asia, the scale of the issue has regional ramifications. Security experts believe that the combination of platform convenience and broad adoption can turn small oversights into large exposure incidents.

"WhatsApp's contact-discovery API study is a stark illustration of how platform convenience can quickly become a large-scale privacy and attack-surface risk. In enumerating 3.5 billion active WhatsApp accounts by abusing an un-rate-limited API, researchers were able to exploit a capability that yields phone numbers, profile photos, 'about' text and device metadata. When more than nine in ten people in markets like Malaysia and Indonesia rely on WhatsApp daily, a single vulnerability like this can ripple across the entire region," said Takanori Nishiyama, SVP APAC & Japan Country Manager, Keeper Security.

User precautions

Consumers are advised to treat WhatsApp accounts with security practices similar to those used for sensitive online services. Key steps include enabling two-step verification, adding a recovery email, and using available privacy settings. Limiting profile visibility to "My contacts" and avoiding public links to WhatsApp profiles can lower the likelihood of being targeted.

Nishiyama advises vigilance against suspicious messages and unsolicited requests for codes or urgent payment transfers. He notes that users should verify message authenticity and avoid sharing security codes with unknown or unverified contacts.

API security challenges

APIs are often central to the integration of online services, enabling everything from messaging and payments to social media connections and location sharing. As businesses expand their digital footprint, API design and use present a growing opportunity for cybercriminals to exploit automation for mass data harvesting.

Cybersecurity professionals are encouraged to respond with prompt vulnerability disclosure and patching, coupled with proactive threat detection and anomaly blocking to limit unauthorised access.

Corporate responsibility

Organisations should not rely solely on end-to-end encryption as a guarantee of regulatory compliance or data protection. Clear policies around device use and instant messaging are vital, particularly for businesses handling regulated data. Recommended controls include enterprise mobility management, data-loss prevention, and exclusive use of approved messaging channels for official communication.

Training at every level, from executive teams to frontline workers, is seen as essential in minimising risks associated with social engineered attacks developed using scraped datasets.

Containment strategies

Nishiyama said businesses should focus on containment measures even after preventive steps. Privileged access management and zero-trust security models can help restrict the impact of a compromise, enforcing least-privilege access, credential rotation, and user verification. These controls help ensure that any single account cannot be leveraged for broader attacks against high-value business systems.

"WhatsApp remains hugely widespread across APAC, so threats here are not hypothetical - the scale of exposure means both individual hygiene and organisational controls must be treated as core cyber risk, not an optional convenience," said Nishiyama.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Gallagher Security maps global growth & 2026 focus
How to detect fake players in online gaming
DivisionHex launches new framework to streamline exposure management
HP predicts surge in AI-driven cyber threats & cookie theft by 2026
Hack The Box launches AI cyber range & unveils red team certification

Top stories

Softonic issues guide to avoid scams in festive sales
Cloudflare outage exposes risks of AI & payments reliance
Netskope adds MCP controls to secure enterprise AI use
Exclusive: Inside Commvault’s Cloud Unity launch with APAC leaders
Check Point updates Quantum firewall to secure AI use