Ex-WhatsApp cybersecurity head says Meta endangered billions of users
132 comments
·September 8, 2025neilv
pfortuny
You ask to be reinstated so that the financial settelment is higher (it includes the cost of sacking him).
jnsaff2
> Or is "reinstatement" simply something the lawyers just have to ask for, to ostensibly make him whole, but they actually neither want nor expect that?
“Reinstatement” is usually a legal formality in whistleblower cases: lawyers ask for it because the law says the remedy for retaliation is to make the employee whole, and it strengthens the case even if nobody expects it to happen. In reality, returning to the job is almost never feasible, so the request mostly serves as leverage for a financial settlement.
7bit
> I don't understand the "reinstatement" part. Does he actually want to go back, and think that it wouldn't be a toxic dynamic?
Maybe he's just laying a foundation for an upcoming legal dispute?
United857
That's rather surprising about the accessing user data bit. When I was at Meta, the quickest way to get fired as an engineer was to access user data/accounts without permission or business reason. Everything was logged/audited down to the database level. Can't imagine that changing and the rules are taught very early on in the onboarding/bootcamp process.
MrDresden
But the crucial bit to know here would be if that data was readable in anyway in case it was accessed?
Personally it doesn't matter if there are auditing systems in place, if the data is readable in any way, shape or form.
dijit
is that really true?
I haven’t touched a lot of these cyber security parts of industry: especially policies for awhile…
… but I do recall that auditing was a stronger motivator than preventing. There were policies around checking the audit logs, not being able to alter audit logs and ensuring that nobody really knew exactly what was audited. (Except for a handful of individuals of course.)
I could be wrong, but “observe and report” felt like it was the strongest possible security guarantee available inside the policies we followed (PCI-DSS Tier 1). and that prevention was a nice to have on top.
aprilthird2021
Everything is logged, but no one really cares, and the "business reasons" are many and extremely generic.
That being said, maybe I'm dumb but I guess I don't see the huge risk here? I could certainly believe that 1500 employees had basically complete access with little oversight (logging and not caring isn't oversight imo). But how is that a safety risk to users? User information is often very important in the day to day work of certain engineering orgs (esp. the large number of eng who are fixing things based off user reports). So that access exists, what's the security risk? That employees will abuse that access? That's always going to be possible I think?
lysace
That part of the complaint is specifically about 1500 ”WhatsApp engineers”.
Different culture from the blue app, or whatever they call it?
mgh2
Do you have proof?
YouWhy
To the extent a random person's evidence on the Internet amounts to proof:
From people at Facebook circa 2018, I know that end user privacy was addressed at multiple checkpoints -- onboarding, the UI of all systems that could theoretically access PII, war stories about senior people being fired due to them marginally misunderstanding the policy, etc.
Note that these friends did not belong to WhatsApp, which was at that time a rather separate suborg.
imiric
Whatever Meta says publicly about this topic, and whatever its internal policies may be, directly contradicts its behavior. So any attempt to excuse this is nothing but virtue signalling and marketing.
The privacy violations and complete disregard for user data are too numerous to mention. There's a Wikipedia article that summarizes the ones we publicly know about.
Based on incentives alone, when the company's primary business model is exploiting user data, it's easy to see these events as simple side effects. When the CEO considers users of his products to be "dumb fucks", that culture can only permeate throughout the companies he runs.
testdelacc1
There’s a meaningful difference in a company wanting to exploit user data to enrich itself and allowing employees to engage in voyeurism. The latter doesn’t make the company money, and therefore can be penalised at no cost.
Your comment talks about incentives, but you haven’t actually made a rational argument tying actual incentives to behaviour.
lordofgibbons
Given how WhatsApp is the de-facto way to communicate outside of the West and China, these security/data-handling "weaknesses" are most likely a feature, not a bug. An absolute bonanza for the certain intelligence services.
Remember, kids: End to end encryption is useless if the "ends" are fully controlled by an (untrustworthy) third party.
cataflam
> outside of the West
you probably mean outside of the USA, it's huge in Europe/UK
(which doesn't contradict your main point)
kwanbix
It is huge in Latin America.
USA is special because it is the (only?) country where iPhone has more users than Android.
101008
Yeah, huge in Latin America in the sense that a lot (most?) business only have a number that they use with Whatsapp (you can't call or even text them). Is it the same in Europe? Since I am from Latin America I never know if people from other continents use Whatsapp as much as we do, and if when I ask them to use Whatsapp I am imposing a new app or it's what they regularly use.
brazukadev
It's crazy how an US company dominates the world's messaging market but not in the US
Sgt_Apone
iPhone has more users than Android in Canada and Japan as well. I think some Nordic countries too.
thaumasiotes
I would have thought he meant "inside of the West". Outside of the West you have other channels.
Russia: Telegram
Taiwan: Line
Japan: Line
By contrast, WhatsApp is best known to me for being used in Europe, Australia, and India.
RyJones
Japan is mostly Instagram, line, WhatsApp, telegram, in that order, for me.
For business comms drop instagram and move WhatsApp to first.
For Singapore it seems LinkedIn messages are the go to IM for business.
Europe p2p: telegram number one by a huge margin, then WhatsApp. B2b: WhatsApp, period.
N19PEDL2
I think the most used messaging app in Russia now is Max.
throwaway290
Telegram is degraded/blocked in russia depending where you are and how authorities feel today
zer0zzz
I’m not sure that’s true. I’m fairly certain UK, France, AU, Canada WhatsApp is not vastly more popular than the blue bubble alternative. At least I believe this was the case a few years ago, based on data I’d seen.
cataflam
France and UK, from personal experience, whatsapp is big, especially for professional use, or friends/family groups.
Blue bubble isn't really a thing ever mentioned in France either, not enough iPhone market share.
OJFord
I'm in the UK, I don't even know what 'the blue bubble alternative' is (Signal? Telegram?), everyone's on WhatsApp.
dijit
> End to end encryption is useless if the "ends" are fully controlled by a (..) third party.
YES!
crypto_throwa
Without open source, end to end encryption is useless. It's not hard to hide a piece of code that defeats the encryption in closed source code.
__spooky__
iMessage is end to end encrypted. Although Apple says it secure and the courts and FBI seem to not be able to get it in, it is still closed source.
bigiain
I can't tell if I'm being paranoid or just realistic, when I suspect that FBI/Apple fights over decrypting/unlocking iPhones or iMessage are just part of Apple's security theater.
If I were Evil-Tim-Cook, I'd have a deal with the FBI (and other agencies) where I'd hand over some user's data, in return for them keeping that secret and occasionally very publicly taking Apple to court demanding they expose a specific user and intentionally losing - to bolster Apple's privacy reputation.
paulryanrogers
iMessage backups in the cloud are subject to warrants. Even if you don't use iCloud backups, can you be sure everyone you communicate with also abstains?
rpdillon
Just don't back it up to iCloud!
yamazakiwi
Not able to get into it legally or without consequence, it is not infallible.
saagarjha
It is actually quite difficult.
another_twist
Curious, is there a poc somewhere demonstrating an attack like this ?
joaomacp
Sure:
plain_msg = decrypt(encrypted_msg)
send_to_nsa(plain_msg)saagarjha
Ok, what do you suggest instead?
realz
I think Signal is the safest choice. If you want to be absolutely sure, host your own service, and hope you know how to make it have airtight security.
null
thewebguyd
Makes you wonder if Meta got one or more of those secret national security letters, or foreign equivalents.
Also makes me wonder about Google's change wrt android security patches - under the guise of "making it easier for OEMs" by moving to quarterly is actually just so that Paragon and other nation state spyware has access to the vulnerabilities for at least 4 months before they get patched.
gerdesj
"He also claimed the company failed to remedy the hacking and takeover of more than 100,000 accounts each day, ignoring his pleas and proposed fixes and choosing instead to prioritize user growth."
There is no oversight of these monstrosities of any sort. I doubt anyone would have issues with the thesis that Meta would implement anything that might curb their user numbers unless it was mandated.
Why would they? They are beholden to their shareholders first. If it isn't illegal then it isn't illegal, immoral perhaps but that is not illegal, unless it is illegal.
My learned friends are going to have to really get their bowling arms warmed up for this sort of skit. For starters, you need a victim ... err complainant.
storus
Didn't Hacker News feature an article on their home page at some point (10 years ago?) that at that time Facebook misconfigured something and users could observe their data being fed directly to some Israeli intelligence company? That was the day I deleted my FB account and never looked at anything they offer anymore.
stingraycharles
At this point it’s best to assume that everything you communicate is being collected in some way.
There are very, very few apps I really trust. E.g. the only mechanism I trust for communicating passwords securely is GPG, I wouldn’t even use Signal for that.
cryptoegorophy
Unless you owner of the app and what they are doing exactly you can’t trust anyone. You don’t know what they are going through or if they sold the app to someone or had a certain code implementation that leaks all of your data. I stopped using Chrome when I had clear evidence of it leaking data - urls visited.
ars
Are you thinking of Cambridge Analytica? That was a British company, not Israeli.
btown
Full text of the lawsuit: https://www.bloomberglaw.com/public/desktop/document/BaigvMe...
npalli
All Meta guys develop a conscience after leaving Meta.
danudey
You have to put your conscience in escrow until your options vest.
pixl97
I mean the options are
1) leave quietly and tell no one: con - no one on HN gets to talk about it. The next person needing money does it anyway.
2) leave loudly when you're still poor: con - you get blacklisted from tech and die from a preventable disease working at a gas station without insurance. The company implements the policy anyway.
3) leave loudly when your rich: con - people accuse you of selling out the users.
solid_fuel
I believe you are forgetting:
4) Don't join Meta in the first place
I have consistently told recruiters from Meta to leave me alone. It is a company that has knowingly done massive harm to our culture and our children, and I have no interest in ever working with or for them.
transcriptase
Unsurprising given it’s been an open secret for over a decade that Meta employees will (if you have the right contacts or amount of money), orchestrate banning or seizing long-standing active accounts with desirable usernames and giving them to their friends or the highest bidder.
mikalauskas
source?
transcriptase
Here’s one of many articles about the phenomenon:
https://www.cnbc.com/amp/2022/11/17/meta-disciplined-or-fire...
A related scheme is the existence of brokers who will, for a fee, recover banned or locked accounts. User pays the broker $X, broker pays their contact at Meta $Y, and using internal tooling suddenly a ban or suspension that would normally put someone in an endless loop of automated vague bullshit responses gets restored.
mentalgear
If you haven't already: Signal is the strongest independent e2e encrypted consumer app that is driven by a non-profit organisation using a zero knowledge approach.
coppsilgold
When it comes to e2e encryption it's important for the ends to be static (not web apps) and auditable (open source, reproducible builds) because the software running on the ends can trivially compromise anything going trough either of them. It can be as simple as a script being loaded from the server into a runtime such as Lua (closed source app). Or custom javascript delivered (web app).
When these conditions aren't met, any e2e encryption claim can be dismissed out of hand. This does not mean the service offers no value, it just means it cannot be trusted to keep anything confidential.
alex1138
I've seen some people right here on HN say that Whatsapp was an inspired acquisition and Zuck is a great product guy, knows what to buy and who to hire
Counterpoint: he's a monopolist and scummy person (https://news.ycombinator.com/item?id=1692122) who refuses to stop (https://arstechnica.com/tech-policy/2019/09/snapchat-reporte...) from the early days onwards (https://news.ycombinator.com/item?id=1169354)
sudahtigabulan
> In his whistleblower complaint, Baig is requesting reinstatement, back pay and compensatory damages, along with potential regulatory enforcement action against the company.
If the company is so bad (it is), why does he want back?!
'Just pay me the salaries I "missed", and keep them coming.' The regulatory action is just "potential".
I have no sympathy for Meta, but this guy...
saagarjha
Companies are not relationships where once they're your ex they are never worth interacting with ever again. If you are doing good work and then HR pushes you out, then it is reasonable to sue the company to get them to pay you damages and then go back to doing what you were before with the protection that they won't do it again.
sudahtigabulan
The point I tried to make was not that he should be resentful about being kicked out, but that he doesn't really care that Meta is unethical and endangers billions.
Even if nothing changes (the regulatory action is optional), he's happy to contribute (he insists, in fact). Even among people who don't want him there.
mapotofu
The points you’re making are personal attacks about the whistleblower. They don’t focus on the substance of the accusations (insecurity). Instead, they focus on your idea of their career motivations and their personality.
skybrian
Maybe so he can quit properly? I wonder how these lawsuits work? Maybe a lawyer would know.
> Attaullah Baig, who served as head of security for WhatsApp from 2021 to 2025, claims that approximately 1,500 engineers had unrestricted access to user data without proper oversight, potentially violating a US government order that imposed a $5bn penalty on the company in 2020.
If it results in a new billion-dollar penalty, maybe it would've saved money to move him quietly to a cushy rest-and-vest advisory position, in which he's not allowed to see, do, or say anything.
> In his whistleblower complaint, Baig is requesting reinstatement, [...]
I don't understand the "reinstatement" part. Does he actually want to go back, and think that it wouldn't be a toxic dynamic?
(He already talked about retaliation. And then by going public the way he did, I'd think he burned that bridge, salted the earth for a mile around bridge, and then nuked the entire metro area from orbit.)
Or is "reinstatement" simply something the lawyers just have to ask for, to ostensibly make him whole, but they actually neither want nor expect that?