The more scary part of this is that WhatsApp probably has a database with phonenumber/imei number pairs on their servers.

The fact that their API uses the IMEI is not great but relatively low risk.

Wait until their servers get hacked and that list of how-many-million pairs of phone/imei numbers gets released.

Setups like this are time bombs.