Takanori Nishiyama from Keeper Security explains how a single WhatsApp API flaw exposed 3.5 billion accounts, and why Australian businesses must treat APIs as critical security vulnerabilities.
What’s happening: Researchers exploited WhatsApp’s contact discovery feature to compile 3.5 billion active accounts. Meta has since implemented protective measures, but the incident exposes how platforms used by 92 per cent of Malaysians, 91 per cent of Indonesians, and 82 per cent of Singaporeans can become massive security vulnerabilities when API protections fail.
Why this matters: With APIs connecting everything from payment gateways to banking transactions, a single unprotected endpoint can expose phone numbers, profile photos, device metadata and create pathways for social engineering attacks that threaten both individual users and organisational systems across the Asia Pacific region.
A single vulnerability in WhatsApp’s contact discovery API allowed researchers to enumerate billions of active accounts, revealing personal information that threat actors could weaponise for targeted attacks across the region.
“WhatsApp’s contact discovery API study is a stark illustration of how platform convenience can quickly become a large-scale privacy and attack-surface risk,” says Takanori Nishiyama, SVP APAC & Japan Country Manager at Keeper Security. “In enumerating 3.5 billion active WhatsApp accounts by abusing an un-rate-limited API, researchers were able to exploit a capability that yields phone numbers, profile photos, ‘about’ text and device metadata.”
The researchers compiled this data by exploiting the contact discovery feature, which lacked the rate limiting protections necessary to prevent mass scraping. WhatsApp has since added these safeguards, but the incident highlights broader API security concerns affecting businesses throughout Asia Pacific.
“When more than nine in ten people in markets like Malaysia and Indonesia rely on WhatsApp daily, a single vulnerability like this can ripple across the entire region,” Nishiyama notes.
Many businesses remain unaware of how extensively they rely on APIs. These application programming interfaces connect social media platforms, payment gateways for e-commerce, maps and location services, communication tools, and banking transactions. Each represents a potential entry point if not properly secured.
End-user vulnerabilities
The immediate risk extends beyond data exposure. Scraped information creates opportunities for sophisticated social engineering attacks targeting both individuals and businesses.
“End users need to treat their WhatsApp account like any other sensitive online account,” Nishiyama advises. “That means enabling two-step verification and adding a recovery email to stop account takeover via SMS codes.”
He recommends users limit profile photos and about information to contacts only, avoid publicly linking WhatsApp numbers to other profiles, and maintain vigilance about unsolicited messages requesting codes or urgent payments.
“Instead of replying directly, verify the authenticity of a message first, and never share verification codes,” Nishiyama emphasises.
For businesses, the human element remains a critical vulnerability. Employees receiving messages from scraped contact lists may not recognise sophisticated phishing attempts, particularly when attackers possess genuine phone numbers and profile information.
Enterprise implications
Organisations cannot rely solely on platform-level encryption to protect their communications and data.
“Cybersecurity professionals need to regard APIs as a potentially significant Achilles heel,” Nishiyama warns. “APIs are designed for scale and automation – the same properties cybercriminals routinely look to exploit.”
He stresses that responsible vulnerability disclosure and timely patching help, but organisations must implement their own threat detection and anomaly blocking to prevent mass harvesting attempts.
“Organisations should never assume end-to-end encryption as a guarantee of regulatory safety,” Nishiyama says. “They should create clear bring-your-own-device and instant messaging policies that define permitted use, particularly where regulated data or client communications are involved.”
He recommends implementing enterprise mobility management controls, data loss prevention, and enterprise-approved secure messaging for official communications. Training programmes should address social engineering risks seeded from scraped datasets to reduce potential for human error.
Containment strategies
Even with preventive measures, businesses must prepare for potential compromises.
“Organisations also need to prioritise plans for containment,” Nishiyama advises. “Even if a messaging-related compromise occurs, robust privileged access management and zero-trust controls can drastically minimise the blast radius.”
He outlines essential controls including least-privilege access, credential rotation, verification of every user and device, and segmented access pathways. These measures ensure compromised accounts or harvested contact data cannot serve as entry points into high-value systems.
“Enforcing least-privilege access, rotating credentials, verifying every user and device, and segmenting access pathways ensures that a compromised account or harvested contact data cannot be used as a pivot into high-value systems,” Nishiyama explains. “These controls turn what could become a full-scale breach into a contained, low-impact incident.”
The stakes are particularly high across Asia Pacific, where WhatsApp penetration rates exceed 90 per cent in major markets. The platform’s widespread adoption means vulnerabilities affect entire business ecosystems, from supply chains to customer communications.
“WhatsApp remains hugely widespread across APAC, so threats here are not hypothetical, the scale of exposure means both individual hygiene and organisational controls must be treated as core cyber risk, not an optional convenience,” Nishiyama concludes.
For Australian businesses operating throughout the region, the message is clear. API security can no longer be treated as a technical concern relegated to IT departments. It represents a fundamental business risk requiring board-level attention, comprehensive policies, and ongoing vigilance across all levels of the organisation.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
