Ethical Hacking News
Meta's $5 billion settlement with the FTC was meant to ensure greater accountability in its handling of user data. However, a former WhatsApp head alleges that the company prioritized growth over security and created a toxic culture that discouraged criticism. The whistleblower lawsuit raises serious questions about Meta's commitment to protecting user privacy and security.
A former head of security at WhatsApp has filed a federal whistleblower lawsuit against Meta, alleging prioritization of user growth over security. The suit claims widespread cybersecurity failures and improper access to user data, despite being aware of them. Meta allegedly rebuffed recommendations from the former security chief to address these issues due to concerns about user growth. The lawsuit also alleges that Meta failed to implement adequate protections against data scraping and account impersonation scams.
In a shocking revelation, Attaullah Baig, the former head of security for WhatsApp, has filed a federal whistleblower lawsuit against Meta, alleging that the company prioritized user growth over security and created a cult-like culture that discouraged criticism. The suit, filed in US District Court for the District of Northern California, recites a litany of purported security and privacy flaws that Meta allegedly failed to address despite being aware of them.
According to the lawsuit, Baig discovered systemic cybersecurity failures upon assuming his role in 2021. During a red-team exercise designed to find and exploit security vulnerabilities, Baig found that roughly 1,500 engineers inside the messenger division had "unrestricted access to user data, including personal information covered by the FTC Privacy Order, and could move or steal such data without detection or audit trail." This revelation led Baig to notify superiors responsible for WhatsApp that such widespread access likely violated the 2019 order.
Baig drafted a document directing the WhatsApp privacy infrastructure team to implement a data classification and handling system that would comply with the order. He believed this step represented "the first concrete step toward addressing WhatsApp's fundamental data governance failures." However, his attempts to press senior leaders for action were met with resistance, allegedly due to concerns about user growth.
The lawsuit alleges that Meta leaders rebuffed Baig's recommendations, which included limiting users from accessing other users' profiles unless they had been in contact before or were part of the same group chat. Baig believed this would help prevent account impersonation scams and data scraping on the platform. However, Meta allegedly dismissed these concerns, stating that such limitations would "hamper WhatsApp user growth."
The complaint also alleges that around 100,000 WhatsApp users had their accounts hacked every day in 2022, while by last year, as many as 400,000 WhatsApp users were getting locked out of their accounts daily due to account takeovers. Furthermore, the lawsuit claims that pictures and names of approximately 400 million user profiles were improperly copied from WhatsApp every day, often for use in account impersonation scams.
The allegations against Meta are particularly concerning given the company's $5 billion settlement with the Federal Trade Commission (FTC) regarding privacy laws in California, the European Union, and other jurisdictions. The lawsuit alleges that Meta failed to implement adequate protections against data scraping and that the central Meta security team "falsified security reports to cover up decisions not to remediate data exfiltration risks."
In response to the allegations, Meta has denied any wrongdoing, stating that security is an "adversarial space" where they pride themselves in building on their strong record of protecting people's privacy. The company has also dismissed Baig's claims as a "familiar playbook" in which a former employee is dismissed for poor performance and then goes public with distorted claims.
The whistleblower lawsuit highlights the need for greater accountability within tech companies, particularly those that handle sensitive user data like WhatsApp. As Meta continues to face scrutiny over its handling of user data and security, it remains to be seen how the company will address these allegations and work towards creating a more secure environment for its users.
Related Information:
https://www.ethicalhackingnews.com/articles/Meta-Whistleblower-Alleges-Security-Failures-and-Cult-like-Culture-Amid-5-Billion-FTC-Settlement-ehn.shtml
https://arstechnica.com/security/2025/09/former-whatsapp-security-boss-sues-meta-for-systemic-cybersecurity-failures/
Published: Mon Sep 8 16:46:16 2025 by llama3.2 3B Q4_K_M
