WhatsApp Breach Incident Score: Analysis & Impact (WHA2002220112025)

In this Rankiteo incident briefing, we review the WhatsApp breach identified under incident ID WHA2002220112025.

The analysis begins with a detailed overview of WhatsApp's information like the linkedin page: https://www.linkedin.com/company/instagram, the number of followers: 321537, the industry type: Software Development and the number of employees: 3264 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 808 and after the incident was 808 with a difference of 0 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on WhatsApp and their customers.

On 01 April 2025, WhatsApp (Meta Platforms, Inc.) disclosed Privacy Violation, Data Exposure and Unintended Data Disclosure issues under the banner "Critical WhatsApp Vulnerability Exposes 3.5 Billion User Phone Numbers and Profile Data".

Security researchers from the University of Vienna uncovered a critical vulnerability in WhatsApp’s contact discovery mechanism, allowing them to enumerate phone numbers of 3.5 billion users worldwide.

The disruption is felt across the environment, affecting WhatsApp Contact Discovery API and WhatsApp Android Clients (Key Reuse Vulnerability), and exposing Phone Numbers (3.5 billion), Public Profile Pictures (77 million from US accounts) and Status Messages, with nearly 3.5 billion (phone numbers); 77 million (US profile pictures) records at risk.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Cardinality-based rate limiting using probabilistic data structures, Restricted access to profile pictures and status messages (even if set to public) and Removed timestamps from profile picture queries, and began remediation that includes Fixed key reuse vulnerability in Android clients and Enhanced API protections against bulk enumeration, and stakeholders are being briefed through Public disclosure with mitigation details; emphasized end-to-end encryption remains intact.

The case underscores how Completed (Vulnerability patched; research published), teams are taking away lessons such as Centralized messaging platforms face inherent privacy risks when convenience features (e.g., contact discovery) lack abuse protections at scale, Weak rate limiting can enable mass enumeration attacks, exposing billions of records and Publicly accessible data (e.g., profile pictures) can become high-risk when combined with other exposed attributes (e.g., phone numbers), and recommending next steps like Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks, Restrict default visibility of profile pictures/status messages, even for 'public' settings and Audit third-party API access and contact discovery mechanisms for abuse potential, with advisories going out to stakeholders covering WhatsApp notified users via blog post and in-app notifications about privacy enhancements.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Reconnaissance tactic, the analysis identified Active Scanning: Vulnerability Scanning (T1595.002) with high confidence (95%), supported by evidence indicating weak rate-limiting protections enabled enumeration of 3.5B phone numbers via API abuse and Gather Victim Identity Information: Employee/Partner/Customer (T1589.002) with high confidence (90%), supported by evidence indicating exposed phone numbers, profile pictures, status messages, business account info, device details. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with moderate to high confidence (85%), supported by evidence indicating exposed data enables spam, phishing, and robocalls via linked phone numbers + identities. Under the Collection tactic, the analysis identified Automated Collection (T1119) with high confidence (95%), supported by evidence indicating probe over 100 million phone numbers per hour via automated API queries and Data from Local System (T1005) with moderate to high confidence (80%), supported by evidence indicating downloaded 77M public profile pictures and encryption keys, timestamps. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with high confidence (90%), supported by evidence indicating researchers downloaded 77M profile pictures via legitimate API (abused for bulk exfiltration). Under the Impact tactic, the analysis identified Data from Cloud Storage (T1530) with moderate to high confidence (85%), supported by evidence indicating exposed 3.5B phone numbers + facial recognition data enables surveillance/legal risks in banned regions and Data Destruction (T1485) with lower confidence (30%), supported by evidence indicating no direct destruction, but long-term surveillance and targeting risks imply persistent impact. Under the Defense Evasion tactic, the analysis identified Data Obfuscation: Protocol Impersonation (T1001.003) with moderate to high confidence (70%), supported by evidence indicating exploited reverse-engineered APIs and cardinality-based rate-limiting bypass. Under the Credential Access tactic, the analysis identified Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with moderate confidence (60%), supported by evidence indicating exposed encryption keys (though E2E message encryption remained intact). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.