Researchers have disclosed a weakness in WhatsApp’s API that allowed the scraping of public profile data (photos, “about” text, and status) from up to 3.5 billion accounts. While not a breach of private messages, this massive dataset helps attackers build detailed profiles for social engineering.
Business Impact
This data is a goldmine for phishers. By correlating profile photos and status updates, attackers can craft highly personalized spear-phishing campaigns targeting employees. It also poses a physical security risk if “about” text or statuses reveal location or travel plans.
Why It Happened
The API lacked sufficient rate limiting or privacy controls to prevent automated tools from querying millions of phone numbers to harvest public profile information at scale.
Recommended Executive Action
Advise employees to restrict their WhatsApp privacy settings. Profile photos and “About” information should be set to “My Contacts” or “Nobody” rather than “Everyone” to mitigate the risk of reconnaissance by threat actors.
Hashtags: #WhatsApp #Privacy #DataScraping #SocialEngineering #CyberSecurity #BigData #InfoSec