A new lawsuit(nova janela) puts WhatsApp’s security back under the spotlight. Attaullah Baig, the app’s former head of security, alleges that Meta ignored critical flaws that allow hundreds of employees to access sensitive user data and failed to stop mass account hacks. Meta denies the claims, but for WhatsApp’s 3 billion users(nova janela), the question is the same: Is WhatsApp really safe to use?

Is WhatsApp secure for private chats?

Despite the lawsuit’s claims, WhatsApp’s end-to-end encryption (E2EE) remains intact. Nothing suggests that WhatsApp’s encryption protocol has been broken or that Meta can read the contents of your conversations. That means your texts, photos, and voice calls are still protected from outside access, including Meta itself.

However, WhatsApp can read your metadata (who you are talking to, when, etc.) and, depending on where you live, shares that data with Meta. So, its security depends on how much information you want to keep private.

Why is Meta being sued over WhatsApp privacy concerns?

Attaullah Baig, who ran WhatsApp’s security team between 2021 and 2025, says the app isn’t nearly as private as Meta claims. In his lawsuit, he alleges that roughly 1,500 employees have access to sensitive user information, including location, profile photos, group memberships, and contact lists.

If these claims are true, they would clarify WhatsApp’s position on end-to-end encryption(nova janela): Your messages are private, but your location, profile photos, group memberships, and contact lists are fair game. That kind of unrestricted access opens the door to insider threats and data leaks, where sensitive information could be stolen and sold on the dark web.

The former security chief argues this level of access may also violate a binding US government order that forced Meta (then Facebook) to pay a record $5 billion fine in 2020(nova janela) after the Cambridge Analytica scandal.

He also alleges the company ignored more than 100,000 daily account takeovers and rejected his proposed fixes. According to the lawsuit, when Baig raised these concerns with senior leadership, including Mark Zuckerberg, Meta fired him.

Meta has denied Baig’s claims and blamed his dismissal on poor performance. The allegations have also drawn political attention, with senators pressing Zuckerberg(nova janela) for answers about WhatsApp’s security practices.

Baig’s lawsuit comes just a few days after a group of six current and former Meta employees(nova janela) claimed that the company covered up evidence of children being exposed to grooming, harassment, and violence on its virtual reality platforms. Meta also denied those claims.

What are WhatsApp’s security and privacy risks?

With WhatsApp’s handling of user data under the spotlight, here are the security and privacy risks you may face when using this app:

Malware and spyware

Malicious apps or links can install spyware on your phone, allowing attackers to intercept messages or codes. One example is PixPirate(nova janela), an Android malware first spotted in Brazil, where it targeted the country’s instant payment system, Pix. It has since been observed in India, Mexico, and Italy. Its goal is to steal banking credentials, intercept two-factor authentication (2FA) codes, initiate unauthorized Pix transfers from a victim’s account, and block attempts to uninstall it or disable Google Play Protect.

Attackers have used WhatsApp to spread PixPirate. If the malware doesn’t detect WhatsApp on the device(nova janela), it will download it to send more malicious links to contacts.

Zero-click exploits

In 2025, researchers discovered a zero-click attack that let hackers break into iPhones and Macs through WhatsApp(nova janela) without users clicking anything. The exploit combined two flaws: one in how macOS and iOS processed images, and another in WhatsApp’s device linking feature.

Cybercriminals could deliver spyware to Apple users through WhatsApp messages and steal data from their devices, including messages. Meta said that fewer than 200 users were affected, and both Apple and WhatsApp have since patched the vulnerabilities.

SIM swapping and verification code scams

Attackers may trick your mobile carrier into transferring your phone number to a new SIM card they control. Then they can scam you into sharing the six-digit code that WhatsApp sends by SMS when setting up a new device. If you hand it over, bad actors can hijack your account, lock you out, steal your identity, and use your profile to scam your contacts. Police in Southwark, London, reported a surge of these attacks in 2021(nova janela), warning people never to share their WhatsApp codes.

Exposed metadata

Chats may be end-to-end encrypted, but WhatsApp (and its parent company Meta) still collects metadata — like who you talk to, how often, your device details, and location. Metadata can’t be used to identify you directly, but it can be cross-referenced with other information to re-identify you(nova janela). And because Meta is based in the US, it may share everything it knows about you with the US government without notice.

Targeted ads on all Meta platforms

WhatsApp says it doesn’t use message content for ads(nova janela), but it does use other data — like account info (country code, age), device info (language, location), and activity in Status and Channels (what you view, follow, or click). Because WhatsApp is part of Meta, this data can be shared across Facebook and Instagram, although this data sharing is limited in Europe thanks to the GDPR.

Ever since WhatsApp changed its privacy policy in 2021, it has shared payment and transaction data you’ve may have had with businesses with Meta (then Facebook) as well. If you connect WhatsApp to Meta’s Accounts Center, your ad preferences are unified, meaning actions in WhatsApp can influence ads you see elsewhere. And with new features powered by Meta AI, data sharing across platforms raises even more concerns.

Meta AI training

Meta AI is embedded in WhatsApp, Facebook, and Instagram, fueling worries about how data is processed, used for AI training, and shared across these platforms.

On WhatsApp, Meta says Meta AI doesn’t access your private, end-to-end encrypted chats. However, the prompts and feedback you share with Meta AI may be stored and used to improve its models. WhatsApp also offers a conversation-summary feature that relies on “private processing,”(nova janela) which Meta claims prevents summaries from being read by the company or anyone else.

Even with these assurances, concerns remain about how much control people really have over their data. For instance, Facebook users have reported that Meta AI enabled settings that allowed it to scan unpublished photos from their camera roll without their consent.

How to stay safe on WhatsApp

Here’s what you can do to improve your privacy and security when using WhatsApp:

  • Turn on security notifications on your phone to get alerts when a contact reinstalls WhatsApp, changes phones, or adds or removes a linked device.
  • Create a passkey so you can log in to WhatsApp with your face, fingerprint, or screen lock. This prevents someone else from logging in even if they get your SMS code.
  • Add an email address to verify or recover your account if you’re locked out. Make sure your email itself is secured with a strong password and two-factor authentication.
  • Enable end-to-end encrypted backups to protect your chats in iCloud or Google Drive so that not even Apple, Google, or Meta can read them. WhatsApp doesn’t let you choose a cloud storage provider. Otherwise, you should turn off chat backups entirely.
  • Never share your six-digit verification code with anyone. WhatsApp and Meta will never ask for it.
  • Ask your mobile carrier to add a PIN or passphrase before your number can be moved to another SIM card. This makes SIM swapping much harder.
  • Only download WhatsApp from the Google Play or App Store and keep it — and your mobile and desktop operating system — updated to the latest version.
  • Never click links or install apps from unknown or suspicious WhatsApp contacts. If you’re unsure about a contact, reach out to them using another method to confirm their identity.
  • Lock down your (nova janela)WhatsApp privacy settings(nova janela) by limiting who can add you to groups and see your profile picture, last seen and online status, about section, and links on your profile.
  • It’s not possible to turn off Meta AI on WhatsApp, so avoid interacting with it if you don’t want to risk your messages or activity being used for AI training.

Choose a more private instant messaging app

Although you can take steps to improve your security and limit what other WhatsApp users can see, this doesn’t change the fact that Meta still relies on collecting user information, such as metadata, for revenue. If recent whistleblower claims are accurate, that access may be even broader than the company admits. Given Meta’s history of privacy violations, some skepticism is justified.

If you’re concerned about this level of control, consider a more private alternative to WhatsApp that collects far less data and is not tied to a Big Tech company fined by regulators for its pay-or-consent advertising model.