Lawsuit About WhatsApp Security

Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission.

The lawsuit, alleging violations of the whistleblower protection provision of the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,000 WhatsApp users had their accounts hacked every day. By last year, the complaint alleged, as many as 400,000 WhatsApp users were getting locked out of their accounts each day as a result of such account takeovers.

Baig also allegedly notified superiors that data scraping on the platform was a problem because WhatsApp failed to implement protections that are standard on other messaging platforms, such as Signal and Apple Messages. As a result, the former WhatsApp head estimated that pictures and names of some 400 million user profiles were improperly copied every day, often for use in account impersonation scams.

More news coverage.

Tags: , , ,

Posted on September 15, 2025 at 7:05 AM6 Comments

Comments

tfb September 15, 2025 12:52 PM

The claim that

As a result, the former WhatsApp head estimated that pictures and names of some 400 million user profiles were improperly copied every day

is curious. WhatsApp has something like 3 billion users, so this means the entire userbase is being leaked every 10 days. Or it’s the same 400 million every day (or there is a huge overlap) which makes this a misleading claim, at best.

Or someone has got confused between thousands and millions.

KC September 15, 2025 10:00 PM

Someone on ArsTechnica was kind enough to post the court docket and complaint (Baig v. Meta Platforms).

Through the SOX complaint Mr. Baig demonstrates how WhatsApp’s growth as goal #1 leaves only token assurances for privacy and security in a world where regulation shields material impacts.

In a 2022 meeting, WhatsApp’s head of Global Public Policy had the wherewithal to ask if WhatsApp was teetering with a Mudge Twitter scenario. Mr. Baig sent them the link to the Forbe’s article detailing Zatko’s Twitter accusations of fraud and securities violations.

Of particular concern to Mr. Baig was the possibility that WhatsApp’s and Meta’s leadership could face criminal liability for misrepresenting the Respondent’s cybersecurity capabilities and risks, similar to the charges brought against Uber’s Chief Information Security Officer (“CISO”) and the CISO of SolarWinds.

When Baig met with WhatsApp’s product manager for Privacy Infrastructure in 2023 the gentleman declared “I don’t worry much about the FTC Order. We have lawyers for that.”

iAPX September 16, 2025 6:07 AM

“WhatsApp” and “security” in the same sentence?
Shouldn’t it be ruled illegal, or at least laughable?

The fun part of WhatsApp and many other “secure chat” is that they are structured to enable Palantir (and Palantir-alike) data harvesting and processing.

And it’s not a feature, it’s the core product…

LtWorf September 16, 2025 10:30 AM

Remember?

Do you remember when the author of this very blog was repeatedly suggesting that whatsapp was the second best option for secure communications?

Kinda Irritated September 16, 2025 3:12 PM

@LtWorf

Actually, no? Doing a search I see plenty of negative articles on WhatsApp.
Except for maybe this:

(7 years ago)

“Russia has banned the secure messaging app Telegram. It’s making an absolute mess of the ban—blocking 16 million IP addresses, many belonging to the Amazon and Google clouds—and it’s not even clear that it’s working. But, more importantly, I’m not convinced Telegram is secure in the first place.

Such a weird story. If you want secure messaging, use Signal. If you’re concerned that having Signal on your phone will itself arouse suspicion, use WhatsApp.”

Sounds more like Bruce was advocating using something rather than nothing. I’m sure most readers of this blog have two brain cells to rub together and have a healthy suspicion of anything put out by Facebook.

Brigita Private Limited September 22, 2025 11:39 PM

This is a very timely discussion. Security and privacy lawsuits around platforms like WhatsApp highlight how critical it is for businesses and users to rethink their approach to communication security. End-to-end encryption is often seen as the gold standard, but issues like metadata exposure and regulatory challenges show that there’s still a lot of work to be done.

At Brigita, we’ve observed how enterprises are increasingly moving toward secure, cloud-based communication and infrastructure solutions to minimize such risks. The focus is shifting from just having encryption to building a holistic security framework that includes compliance, access management, and real-time monitoring.

Really appreciate the depth of this post—it sheds light on the broader implications of communication security in today’s digital environment.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.