WhatsApp
Company Details
Linkedin ID:
whatsapp.
Website:
Employees number:
3,264
Number of followers:
321,537
NAICS:
5112
Industry Type:
Homepage:
whatsapp.com
IP Addresses:
0
Company ID:
WHA_1162364
Scan Status:
In-progress
WhatsApp Company CyberSecurity Posture
whatsapp.com
WhatsApp is a fast, simple and reliable way to talk to anyone in the world. More than 1.5 billion people across 180+ countries use WhatsApp to stay in touch with friends and family, anytime and anywhere. WhatsApp is not only free but also available on multiple mobile devices and in low connectivity areas — making it accessible and reliable wherever you are. It's a simple and secure way to share your favorite moments, send important information or catch up with a friend. WhatsApp helps people connect and share no matter where they are in the world. For many people in the world WhatsApp is a lifeline. We're looking for engineers, designers, researchers, product managers, technical program managers, customer ops, consumer marketing, and more. Come join our teams and make impact at scale.
WhatsApp A.I CyberSecurity Scoring
WhatsApp Risk Score (AI oriented)Between 650 and 699
WhatsApp
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
WhatsApp Global Score (TPRM)XXXX
WhatsApp
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
WhatsApp Company CyberSecurity News & History
Past Incidents
7
Attack Types
3
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: A well-known hacking community forum was selling a 2022 database of 487 million WhatsApp user mobile numbers. The dataset allegedly contained WhatsApp user data from 84 countries including over 32 million US user records. It also contained another huge chunk of phone numbers belonging to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).
Data Leak
Rankiteo Explanation
Attack limited on finance or reputation
Description: The bug was found on WhatsApp's platform. Phone numbers of crores of users have been published on Google. Mobile numbers of 29,000 to 30,000 users were appearing in text format on Google due to the bug.
WhatsApp (Meta)
Vulnerability
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: WhatsApp disclosed a **zero-click vulnerability (CVE-2025-55177)** in its iOS and macOS apps, exploited in **targeted zero-day attacks** alongside an Apple OS-level flaw (CVE-2025-43300). The flaw allowed attackers to **bypass authorization** and force devices to process malicious content from arbitrary URLs, enabling **spyware deployment** (e.g., Paragon’s *Graphite*). WhatsApp confirmed the attacks were **highly sophisticated**, likely state-sponsored, targeting **journalists, civil society members, and high-profile individuals** over 90 days. While WhatsApp patched the issue and warned affected users, the **malware may persist** on compromised devices, requiring **factory resets**. The attack mirrors a March 2025 incident where WhatsApp disrupted a **Paragon spyware campaign** exploiting a similar zero-day. The **combination of WhatsApp and Apple OS vulnerabilities** suggests **advanced persistent threat (APT) actors** leveraged multi-stage exploits to **infiltrate devices silently**, exfiltrate data, and maintain persistence. No evidence of **mass data breaches** was reported, but the **targeted nature** implies **high-value intelligence gathering**, potentially compromising **sensitive communications, contacts, and device integrity** of victims. Users were urged to update software and reset devices to mitigate risks.
WhatsApp (Meta Platforms, Inc.)
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Security researchers from the University of Vienna exposed a critical **vulnerability** in WhatsApp’s contact discovery mechanism, enabling the enumeration of **3.5 billion phone numbers globally** by exploiting weak rate-limiting protections. The flaw allowed attackers to query **63 billion candidate numbers** across 245 countries, retrieving not just phone numbers but also **public profile pictures (77M from US users, 66% with detectable faces), status messages, business account details, device information, encryption keys, and timestamps**.The breach posed severe risks, particularly in **banned regions** (e.g., 2.3M active accounts in China, 1.6M in Myanmar, 59M in Iran), where users could face **government surveillance or legal repercussions**. Cross-referencing with the **2021 Facebook leak** revealed that **50% of exposed numbers remained active**, highlighting persistent threats like **spam, phishing, and robocalls**. While WhatsApp mitigated the issue post-disclosure (e.g., rate-limiting, restricting profile picture access), the incident underscored systemic privacy risks in centralized platforms, where **convenience features become attack vectors at scale**. End-to-end encryption for messages remained intact, but the **mass exposure of metadata and linked identities** created long-term surveillance and targeting risks.
WhatsApp (Meta)
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: WhatsApp disclosed a zero-click exploit chain targeting specific users by combining a WhatsApp vulnerability (CVE-2025-55177) with an Apple Image I/O framework flaw (CVE-2025-43300). Attackers sent malicious messages to dozens of users, exploiting out-of-bounds memory writes in Apple’s image processing system and unauthorized WhatsApp message synchronization to compromise devices without user interaction. The attack allowed full device takeover, including access to messages, media, and other sensitive data. Affected users were advised to perform a factory reset, though residual malware risks persisted. The exploit leveraged a chained infection vector, primarily impacting iOS and Mac users, with Android devices potentially exposed via separate attack paths. WhatsApp patched the flaw in updates (iOS v2.25.21.73+, Mac v2.25.21.78+), but the incident highlighted the severity of zero-click threats in spyware campaigns, where no user action is required for compromise. Amnesty International linked the attack to advanced surveillance operations, emphasizing the risk to high-profile targets.
Vulnerability
Rankiteo Explanation
Attack threatening the organization’s existence
Description: WhatsApp experienced a sophisticated cyber attack exploiting a zero-day vulnerability, leading to the unauthorized deployment of Graphite spyware against journalists and civil society members. While the attack did not result in a client-side update, affecting approximately 90 users internationally, it demonstrates the significant risks associated with spyware operations. The incident triggered a server-side fix and raised concerns about the potential for misuse of advanced surveillance tools sold to governments, highlighting the challenge of regulating spyware use and ensuring the protection of fundamental rights and freedoms.
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A critical vulnerability identified in WhatsApp for Windows allows attackers to execute arbitrary code by sending seemingly harmless file attachments that exploit the application's handling of MIME types and file extensions. Designated as CVE-2025-30401, the high-severity flaw affects versions up to 2.2450.5 and has been rectified in version 2.2450.6. The spoofing vulnerability could deceive users into interacting with malicious attachments, leading to unauthorized execution of code and potential data theft. This issue also raises concerns in group chats where a single malicious attachment can compromise multiple users. Immediate updating to a patched version is urged.
WhatsApp Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for WhatsApp
Incidents vs Software Development Industry Average (This Year)
WhatsApp has 809.09% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
WhatsApp has 525.0% more incidents than the average of all companies with at least one recorded incident.
Incident Types WhatsApp vs Software Development Industry Avg (This Year)
WhatsApp reported 4 incidents this year: 0 cyber attacks, 0 ransomware, 4 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — WhatsApp (X = Date, Y = Severity)
WhatsApp cyber incidents detection timeline including parent company and subsidiaries
WhatsApp Company Subsidiaries
WhatsApp is a fast, simple and reliable way to talk to anyone in the world. More than 1.5 billion people across 180+ countries use WhatsApp to stay in touch with friends and family, anytime and anywhere. WhatsApp is not only free but also available on multiple mobile devices and in low connectivity areas — making it accessible and reliable wherever you are. It's a simple and secure way to share your favorite moments, send important information or catch up with a friend. WhatsApp helps people connect and share no matter where they are in the world. For many people in the world WhatsApp is a lifeline. We're looking for engineers, designers, researchers, product managers, technical program managers, customer ops, consumer marketing, and more. Come join our teams and make impact at scale.
Loading...
WhatsApp Similar Companies
Starting our journey in 2011, today, bigbasket - a Tata Enterprise is India’s largest online supermarket with over 13 million customers and a presence in 60+ cities & towns. With our presence spanning the entire spectrum of consumer needs, we operate through a range of business lines - bigbasket, bb
Just Eat Takeaway.com
Just Eat Takeaway.com is a leading global online delivery marketplace, connecting consumers and restaurants through our platform in 19 countries. Like a dinner table, working at JET brings our office employees and couriers together. From coding to customer service to couriers, JET is a
Cisco
Cisco is the worldwide technology leader that is revolutionizing the way organizations connect and protect in the AI era. For more than 40 years, Cisco has securely connected the world. With its industry leading AI-powered solutions and services, Cisco enables its customers, partners and communities
Intuit
Intuit is a global technology platform that helps our customers and communities overcome their most important financial challenges. Serving millions of customers worldwide with TurboTax, QuickBooks, Credit Karma and Mailchimp, we believe that everyone should have the opportunity to prosper and we wo
Meituan
Adhering to the ‘Retail + Technology’ strategy, Meituan commits to its mission that 'We help people eat better, live better'. Since its establishment in March 2010, Meituan has advanced the digital upgrading of services and goods retail on both supply and demand sides. Together with our partners we
ServiceNow
ServiceNow (NYSE: NOW) makes the world work better for everyone. Our cloud-based platform and solutions help digitize and unify organizations so that they can find smarter, faster, better ways to make work flow. So employees and customers can be more connected, more innovative, and more agile. And w
Wolt
Wolt is a Helsinki-based technology company with a mission to bring joy, simplicity and earnings to the neighborhoods of the world. Wolt develops a local commerce platform that connects people looking to order food, groceries, and other goods with people interested in selling and delivering them. Wo
KPIT
About KPIT KPIT is reimagining the future of mobility, forging ahead with group companies and partners to shape a world that is cleaner, smarter, and safer. With over 25 years of specialized expertise in Mobility, KPIT is accelerating the transformation towards Software and AI-Defined Vehicles thr
More than one billion people around the world use Instagram, and we’re proud to be bringing them closer to the people and things they love. Instagram inspires people to see the world differently, discover new interests, and express themselves. Since launching in 2010, our community has grown at a r
.png)
WhatsApp CyberSecurity News
November 27, 2025 09:11 AM
State-backed spyware attacks are targeting Signal and WhatsApp users, CISA warns
CISA, the US Cybersecurity and Infrastructure Security Agency, has issued a new warning that cybercriminals and state-backed hacking groups...
November 26, 2025 03:49 PM
Cyber Firm CTM360 Uncovers Large-Scale Scam Leveraging WhatsApp Web
Global 'HackOnChat' scam targets WhatsApp users via fake web portals and session hijacking, exposing how social engineering bypasses...
November 26, 2025 11:18 AM
CISA Alert: Advanced spyware targeting encrypted messaging apps including Whatsapp, Signal and so on - ET
For more than a decade, encrypted messaging platforms like Signal, WhatsApp, and Telegram have served as digital lifelines for...
November 25, 2025 05:55 PM
CISA Warns Threat Actors Are Using Commercial Spyware To Target Signal, Telegram & WhatsApp Users
November 25, 2025 05:28 PM
CISA warns spyware crews are breaking into Signal and WhatsApp accounts.
Encrypted messaging apps, including Signal and WhatsApp, are under siege, warns US Cybersecurity and Infrastructure Security Agency (CISA)
November 25, 2025 03:50 PM
Hackers Bypass Signal, Telegram And WhatsApp Encryption To Read Messages
How private and secure are your end-to-end encrypted instant messages? Not so much when Sturnus attacks.
November 25, 2025 01:27 PM
CISA Warns of Threat Actors Leveraging Commercial Spyware to Target Users of Signal and WhatsApp
Cybersecurity authorities have raised fresh alarms over the spread of advanced commercial spyware targeting secure messaging apps like...
November 25, 2025 11:32 AM
CISA warns spyware crews are breaking into Signal and WhatsApp accounts
CISA has warned that state-backed snoops and cyber-mercenaries are actively abusing commercial spyware to break into Signal and WhatsApp...
November 25, 2025 11:31 AM
CISA Issues Warning on Commercial Spyware Targeting Signal and WhatsApp Users
commercial spyware - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert warning that multiple cyber.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
WhatsApp CyberSecurity History Information
Official Website of WhatsApp
The official website of WhatsApp is http://www.whatsapp.com.
WhatsApp’s AI-Generated Cybersecurity Score
According to Rankiteo, WhatsApp’s AI-generated cybersecurity score is 681, reflecting their Weak security posture.
How many security badges does WhatsApp’ have ?
According to Rankiteo, WhatsApp currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does WhatsApp have SOC 2 Type 1 certification ?
According to Rankiteo, WhatsApp is not certified under SOC 2 Type 1.
Does WhatsApp have SOC 2 Type 2 certification ?
According to Rankiteo, WhatsApp does not hold a SOC 2 Type 2 certification.
Does WhatsApp comply with GDPR ?
According to Rankiteo, WhatsApp is not listed as GDPR compliant.
Does WhatsApp have PCI DSS certification ?
According to Rankiteo, WhatsApp does not currently maintain PCI DSS compliance.
Does WhatsApp comply with HIPAA ?
According to Rankiteo, WhatsApp is not compliant with HIPAA regulations.
Does WhatsApp have ISO 27001 certification ?
According to Rankiteo,WhatsApp is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of WhatsApp
WhatsApp operates primarily in the Software Development industry.
Number of Employees at WhatsApp
WhatsApp employs approximately 3,264 people worldwide.
Subsidiaries Owned by WhatsApp
WhatsApp presently has no subsidiaries across any sectors.
WhatsApp’s LinkedIn Followers
WhatsApp’s official LinkedIn profile has approximately 321,537 followers.
NAICS Classification of WhatsApp
WhatsApp is classified under the NAICS code 5112, which corresponds to Software Publishers.
WhatsApp’s Presence on Crunchbase
Yes, WhatsApp has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/whatsapp.
WhatsApp’s Presence on LinkedIn
Yes, WhatsApp maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/whatsapp..
Cybersecurity Incidents Involving WhatsApp
As of November 27, 2025, Rankiteo reports that WhatsApp has experienced 7 cybersecurity incidents.
Number of Peer and Competitor Companies
WhatsApp has an estimated 26,613 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at WhatsApp ?
Incident Types: The types of cybersecurity incidents that have occurred include Data Leak, Breach and Vulnerability.
How does WhatsApp detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with server-side fix, and remediation measures with patch applied in version 2.2450.6, and communication strategy with urging immediate update to patched version, and and third party assistance with amnesty international security lab (investigation), and containment measures with whatsapp server-side patches to block exploit, containment measures with user notifications with mitigation steps, and remediation measures with whatsapp app updates (ios v2.25.21.73+, mac v2.25.21.78+), remediation measures with apple security updates for image i/o framework, remediation measures with factory reset recommendation for affected users, and recovery measures with device updates (os and whatsapp), recovery measures with security feature enablement (e.g., google advanced protection for android), and communication strategy with direct notifications to affected users, communication strategy with public advisory via blog/press, communication strategy with collaboration with amnesty international for technical details, and and third party assistance with amnesty international security lab, third party assistance with university of toronto's citizen lab, and containment measures with patching vulnerable whatsapp versions (ios/macos), containment measures with disrupting paragon's graphite spyware campaign, and remediation measures with user notifications, remediation measures with factory reset recommendations, remediation measures with os/software update advisories, and communication strategy with direct alerts to targeted users, communication strategy with public security advisory, communication strategy with media statements, and incident response plan activated with yes (collaboration with researchers), and third party assistance with university of vienna security researchers, and containment measures with cardinality-based rate limiting using probabilistic data structures, containment measures with restricted access to profile pictures and status messages (even if set to public), containment measures with removed timestamps from profile picture queries, and remediation measures with fixed key reuse vulnerability in android clients, remediation measures with enhanced api protections against bulk enumeration, and communication strategy with public disclosure with mitigation details; emphasized end-to-end encryption remains intact, and enhanced monitoring with likely (implied by rate-limiting fixes)..
Incident Details
Can you provide details on each incident ?
Title: WhatsApp User Data Breach
Description: A well-known hacking community forum was selling a 2022 database of 487 million WhatsApp user mobile numbers. The dataset allegedly contained WhatsApp user data from 84 countries including over 32 million US user records. It also contained another huge chunk of phone numbers belonging to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).
Type: Data Breach
Attack Vector: Data Exfiltration
Motivation: Financial Gain
Title: WhatsApp Data Leak Incident
Description: A bug on WhatsApp's platform resulted in the phone numbers of millions of users being published on Google. Mobile numbers of approximately 29,000 to 30,000 users were appearing in text format on Google due to the bug.
Type: Data Leak
Attack Vector: Bug in Platform
Vulnerability Exploited: Bug
Title: WhatsApp Zero-Day Vulnerability Exploited for Spyware Deployment
Description: WhatsApp experienced a sophisticated cyber attack exploiting a zero-day vulnerability, leading to the unauthorized deployment of Graphite spyware against journalists and civil society members. While the attack did not result in a client-side update, affecting approximately 90 users internationally, it demonstrates the significant risks associated with spyware operations. The incident triggered a server-side fix and raised concerns about the potential for misuse of advanced surveillance tools sold to governments, highlighting the challenge of regulating spyware use and ensuring the protection of fundamental rights and freedoms.
Type: Spyware Attack
Attack Vector: Zero-Day Vulnerability
Vulnerability Exploited: Zero-Day Vulnerability
Motivation: Surveillance
Title: WhatsApp for Windows Vulnerability
Description: A critical vulnerability identified in WhatsApp for Windows allows attackers to execute arbitrary code by sending seemingly harmless file attachments that exploit the application's handling of MIME types and file extensions. Designated as CVE-2025-30401, the high-severity flaw affects versions up to 2.2450.5 and has been rectified in version 2.2450.6. The spoofing vulnerability could deceive users into interacting with malicious attachments, leading to unauthorized execution of code and potential data theft. This issue also raises concerns in group chats where a single malicious attachment can compromise multiple users. Immediate updating to a patched version is urged.
Type: Vulnerability Exploitation
Attack Vector: File Attachment Spoofing
Vulnerability Exploited: CVE-2025-30401
Title: WhatsApp Zero-Click Exploit Chain Targeting iOS and Android Users via Malicious Messages
Description: WhatsApp patched a vulnerability (CVE-2025-55177) exploited in conjunction with an Apple Image I/O framework vulnerability (CVE-2025-43300) to compromise devices via zero-click attacks. Attackers sent malicious messages to dozens of users, leveraging an out-of-bounds write flaw in Apple’s Image I/O and a WhatsApp synchronization message authorization bypass. Affected users were advised to perform a factory reset and update their devices. The attack targeted both iPhone and Android users, though the most severe zero-click risk applied primarily to Apple devices.
Type: Zero-click exploit
Attack Vector: Malicious message (WhatsApp)Exploit chaining (Apple Image I/O + WhatsApp sync flaw)Zero-click (no user interaction required)
Title: WhatsApp Zero-Day Vulnerability (CVE-2025-55177) Exploited in Targeted Spyware Attacks
Description: WhatsApp patched a zero-click security vulnerability (CVE-2025-55177) in its iOS and macOS clients, exploited in targeted attacks. The flaw, combined with an Apple OS-level zero-day (CVE-2025-43300), enabled sophisticated spyware campaigns. WhatsApp warned select users of potential compromise via advanced spyware (e.g., Paragon's Graphite) and advised factory resets. The attack leveraged incomplete authorization in linked device synchronization to process arbitrary URLs on targets' devices.
Date Publicly Disclosed: 2025-09-20
Date Resolved: 2025-09-20
Type: Zero-day exploit
Attack Vector: Zero-click exploitLinked device synchronization vulnerabilityArbitrary URL processing
Vulnerability Exploited: CVE-2025-55177 (WhatsApp incomplete authorization)CVE-2025-43300 (Apple OS-level zero-day)
Threat Actor: Paragon (suspected)Advanced persistent threat (APT) actors
Motivation: EspionageTargeted surveillance
Title: Critical WhatsApp Vulnerability Exposes 3.5 Billion User Phone Numbers and Profile Data
Description: Security researchers from the University of Vienna uncovered a critical vulnerability in WhatsApp’s contact discovery mechanism, allowing them to enumerate phone numbers of 3.5 billion users worldwide. The flaw stemmed from weak rate-limiting protections, enabling researchers to probe over 100 million phone numbers per hour. Beyond phone numbers, the vulnerability exposed public profile pictures, status messages, business account information, device details, encryption keys, and timestamps. Researchers successfully downloaded 77 million public profile pictures from US accounts, with 66% containing detectable human faces. The data could enable facial recognition-based lookup services, posing risks like spam, phishing, and surveillance—especially in countries where WhatsApp is banned (e.g., 2.3M active accounts in China, 1.6M in Myanmar, 59M in Iran). WhatsApp implemented countermeasures after responsible disclosure, including cardinality-based rate limiting and restricting access to public profile data.
Date Detected: 2024-12-01
Date Publicly Disclosed: 2025-04-01
Date Resolved: 2025-04-01
Type: Privacy Violation
Attack Vector: API AbuseWeak Rate LimitingReverse-Engineered APIs
Vulnerability Exploited: Contact Discovery Mechanism FlawCardinality-Based Rate Limiting BypassKey Reuse Vulnerability (Android)
Threat Actor: University of Vienna Security Researchers (Ethical Disclosure)
Motivation: Academic Research / Responsible Disclosure
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Malicious WhatsApp message (zero-click) and Linked device synchronization messages (WhatsApp vulnerability).
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach WHA2315251122
Data Compromised: Mobile numbers
Incident : Data Leak WHA21136123
Data Compromised: Phone numbers
Incident : Spyware Attack WHA443032025
Systems Affected: WhatsApp
Incident : Vulnerability Exploitation WHA623040825
Data Compromised: Potential data theft
Systems Affected: WhatsApp for Windows
Incident : Zero-click exploit WHA810090225
Data Compromised: Messages, Device data (potential full access)
Systems Affected: iOS devicesMac devicesAndroid devices (limited scope)
Operational Impact: Potential full device compromise, including spyware installation
Brand Reputation Impact: Moderate (proactive disclosure and mitigation may limit damage)
Identity Theft Risk: High (if spyware installed)
Payment Information Risk: Potential (if device fully compromised)
Incident : Zero-day exploit WHA28105328090725
Data Compromised: Potential device compromise, Spyware installation (e.g., graphite)
Systems Affected: WhatsApp for iOS (<2.25.21.73)WhatsApp Business for iOS (<2.25.21.78)WhatsApp for Mac (<2.25.21.78)Apple iOS/macOS (via CVE-2025-43300)
Operational Impact: User notificationsFactory reset recommendationsOngoing risk of device compromise
Brand Reputation Impact: Potential erosion of trust due to targeted spyware attacks
Identity Theft Risk: ['High (via spyware capabilities)']
Incident : Privacy Violation WHA2002220112025
Data Compromised: Phone numbers (3.5 billion), Public profile pictures (77 million from us accounts), Status messages, Business account information, Device details, Encryption keys, Timestamps, Facial recognition data (66% of profile pictures contained detectable faces)
Systems Affected: WhatsApp Contact Discovery APIWhatsApp Android Clients (Key Reuse Vulnerability)
Operational Impact: High (Potential for spam, phishing, robocalls, and surveillance risks)
Brand Reputation Impact: Moderate (Privacy concerns raised, but proactive mitigation by WhatsApp)
Identity Theft Risk: High (Facial recognition + phone number linkage)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Mobile Numbers, Phone Numbers, , Messages, Device-Stored Data (Potential Full Access), , Device Metadata, Potential Communications (Via Spyware), User Activity, , Phone Numbers, Profile Pictures, Status Messages, Business Account Info, Device Details, Encryption Keys, Timestamps, Facial Recognition Data and .
Which entities were affected by each incident ?
Incident : Data Breach WHA2315251122
Entity Name: WhatsApp
Entity Type: Social Media Platform
Industry: Technology
Location: Global
Customers Affected: 84 countries including over 32 million US user records, 45 million from Egypt, 35 million from Italy, 29 million from Saudi Arabia, 20 million from France, and 20 million from Turkey
Incident : Data Leak WHA21136123
Entity Name: WhatsApp
Entity Type: Company
Industry: Technology
Customers Affected: 30,000 users
Incident : Spyware Attack WHA443032025
Entity Name: WhatsApp
Entity Type: Messaging Platform
Industry: Technology
Location: Global
Customers Affected: 90
Incident : Vulnerability Exploitation WHA623040825
Entity Name: WhatsApp
Entity Type: Application
Industry: Technology
Incident : Zero-click exploit WHA810090225
Entity Name: WhatsApp (Meta)
Entity Type: Messaging platform
Industry: Technology/Social Media
Location: Global
Customers Affected: Dozens of targeted users (exact number undisclosed)
Incident : Zero-click exploit WHA810090225
Entity Name: Apple Inc.
Entity Type: Technology company
Industry: Consumer Electronics/Software
Location: Global
Customers Affected: iOS and Mac users with unpatched devices
Incident : Zero-day exploit WHA28105328090725
Entity Name: WhatsApp (Meta Platforms, Inc.)
Entity Type: Technology company
Industry: Messaging/Communication
Location: Global
Size: Large (2+ billion users)
Customers Affected: Targeted users (journalists, civil society members, high-risk individuals)
Incident : Privacy Violation WHA2002220112025
Entity Name: WhatsApp (Meta Platforms, Inc.)
Entity Type: Messaging Platform
Industry: Technology / Social Media
Location: Global
Size: 3.5 billion users
Customers Affected: 3.5 billion (all users with phone numbers exposed; 77 million US profile pictures downloaded)
Incident : Privacy Violation WHA2002220112025
Entity Name: Users in Restricted Regions
Entity Type: Individuals
Location: China (2.3M accounts)Myanmar (1.6M accounts)Iran (59M accounts)
Customers Affected: 62.9 million (potential surveillance/legal risks)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Spyware Attack WHA443032025
Remediation Measures: Server-side fix
Incident : Vulnerability Exploitation WHA623040825
Remediation Measures: Patch applied in version 2.2450.6
Communication Strategy: Urging immediate update to patched version
Incident : Zero-click exploit WHA810090225
Incident Response Plan Activated: True
Third Party Assistance: Amnesty International Security Lab (Investigation).
Containment Measures: WhatsApp server-side patches to block exploitUser notifications with mitigation steps
Remediation Measures: WhatsApp app updates (iOS v2.25.21.73+, Mac v2.25.21.78+)Apple security updates for Image I/O frameworkFactory reset recommendation for affected users
Recovery Measures: Device updates (OS and WhatsApp)Security feature enablement (e.g., Google Advanced Protection for Android)
Communication Strategy: Direct notifications to affected usersPublic advisory via blog/pressCollaboration with Amnesty International for technical details
Incident : Zero-day exploit WHA28105328090725
Incident Response Plan Activated: True
Third Party Assistance: Amnesty International Security Lab, University Of Toronto'S Citizen Lab.
Containment Measures: Patching vulnerable WhatsApp versions (iOS/macOS)Disrupting Paragon's Graphite spyware campaign
Remediation Measures: User notificationsFactory reset recommendationsOS/software update advisories
Communication Strategy: Direct alerts to targeted usersPublic security advisoryMedia statements
Incident : Privacy Violation WHA2002220112025
Incident Response Plan Activated: Yes (Collaboration with researchers)
Third Party Assistance: University of Vienna Security Researchers
Containment Measures: Cardinality-based rate limiting using probabilistic data structuresRestricted access to profile pictures and status messages (even if set to public)Removed timestamps from profile picture queries
Remediation Measures: Fixed key reuse vulnerability in Android clientsEnhanced API protections against bulk enumeration
Communication Strategy: Public disclosure with mitigation details; emphasized end-to-end encryption remains intact
Enhanced Monitoring: Likely (implied by rate-limiting fixes)
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes (Collaboration with researchers).
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Amnesty International Security Lab (investigation), , Amnesty International Security Lab, University of Toronto's Citizen Lab, , University of Vienna Security Researchers.
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach WHA2315251122
Type of Data Compromised: Mobile Numbers
Number of Records Exposed: 487 million
Incident : Data Leak WHA21136123
Type of Data Compromised: Phone numbers
Number of Records Exposed: 29,000 to 30,000
Incident : Zero-click exploit WHA810090225
Type of Data Compromised: Messages, Device-stored data (potential full access)
Sensitivity of Data: High (personal messages, potentially sensitive device data)
Data Exfiltration: Likely (spyware installation implied)
File Types Exposed: Image files (malicious payload)Potentially all device-stored files
Personally Identifiable Information: High risk (if device compromised)
Incident : Zero-day exploit WHA28105328090725
Type of Data Compromised: Device metadata, Potential communications (via spyware), User activity
Sensitivity of Data: High (spyware capable of exfiltrating sensitive user data)
Incident : Privacy Violation WHA2002220112025
Type of Data Compromised: Phone numbers, Profile pictures, Status messages, Business account info, Device details, Encryption keys, Timestamps, Facial recognition data
Number of Records Exposed: 3.5 billion (phone numbers); 77 million (US profile pictures)
Sensitivity of Data: High (PII + facial recognition risks)
Data Exfiltration: Yes (researchers downloaded data for analysis)
Data Encryption: End-to-end encryption for messages remained intact; encryption keys for accounts were exposed
File Types Exposed: JPEG/PNG (profile pictures)Text (status messages, business info)
Personally Identifiable Information: Yes (phone numbers + facial data)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Server-side fix, Patch applied in version 2.2450.6, WhatsApp app updates (iOS v2.25.21.73+, Mac v2.25.21.78+), Apple security updates for Image I/O framework, Factory reset recommendation for affected users, , User notifications, Factory reset recommendations, OS/software update advisories, , Fixed key reuse vulnerability in Android clients, Enhanced API protections against bulk enumeration, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by whatsapp server-side patches to block exploit, user notifications with mitigation steps, , patching vulnerable whatsapp versions (ios/macos), disrupting paragon's graphite spyware campaign, , cardinality-based rate limiting using probabilistic data structures, restricted access to profile pictures and status messages (even if set to public), removed timestamps from profile picture queries and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Zero-day exploit WHA28105328090725
Data Exfiltration: True
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Device updates (OS and WhatsApp), Security feature enablement (e.g., Google Advanced Protection for Android), .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Spyware Attack WHA443032025
Lessons Learned: The incident highlights the significant risks associated with spyware operations and the challenge of regulating spyware use to protect fundamental rights and freedoms.
Incident : Zero-click exploit WHA810090225
Lessons Learned: Zero-click exploits pose severe risks even to fully patched systems when chained with other vulnerabilities., Cross-platform vulnerabilities (e.g., Apple Image I/O) can amplify attack surfaces for apps like WhatsApp., Proactive user notification and clear mitigation steps are critical for limiting damage from targeted attacks.
Incident : Zero-day exploit WHA28105328090725
Lessons Learned: Zero-click vulnerabilities in messaging apps remain high-value targets for APT groups., Cross-platform vulnerabilities (e.g., WhatsApp + Apple OS) amplify attack impact., Proactive user notifications and remediation guidance are critical for targeted attacks.
Incident : Privacy Violation WHA2002220112025
Lessons Learned: Centralized messaging platforms face inherent privacy risks when convenience features (e.g., contact discovery) lack abuse protections at scale., Weak rate limiting can enable mass enumeration attacks, exposing billions of records., Publicly accessible data (e.g., profile pictures) can become high-risk when combined with other exposed attributes (e.g., phone numbers)., Data breaches have long-term impacts; 50% of phone numbers from a 2021 leak remained active on WhatsApp in 2025., Facial recognition risks emerge when profile pictures are linked to identifiers like phone numbers.
What recommendations were made to prevent future incidents ?
Incident : Zero-click exploit WHA810090225
Recommendations: Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.
Incident : Zero-day exploit WHA28105328090725
Recommendations: Implement stricter authorization controls for linked device synchronization., Enhance collaboration with OS vendors (e.g., Apple) to mitigate cross-platform risks., Expand threat intelligence sharing with civil society organizations (e.g., Citizen Lab, Amnesty International)., Accelerate patch deployment for zero-day vulnerabilities in widely used applications.Implement stricter authorization controls for linked device synchronization., Enhance collaboration with OS vendors (e.g., Apple) to mitigate cross-platform risks., Expand threat intelligence sharing with civil society organizations (e.g., Citizen Lab, Amnesty International)., Accelerate patch deployment for zero-day vulnerabilities in widely used applications.Implement stricter authorization controls for linked device synchronization., Enhance collaboration with OS vendors (e.g., Apple) to mitigate cross-platform risks., Expand threat intelligence sharing with civil society organizations (e.g., Citizen Lab, Amnesty International)., Accelerate patch deployment for zero-day vulnerabilities in widely used applications.Implement stricter authorization controls for linked device synchronization., Enhance collaboration with OS vendors (e.g., Apple) to mitigate cross-platform risks., Expand threat intelligence sharing with civil society organizations (e.g., Citizen Lab, Amnesty International)., Accelerate patch deployment for zero-day vulnerabilities in widely used applications.
Incident : Privacy Violation WHA2002220112025
Recommendations: Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are The incident highlights the significant risks associated with spyware operations and the challenge of regulating spyware use to protect fundamental rights and freedoms.Zero-click exploits pose severe risks even to fully patched systems when chained with other vulnerabilities.,Cross-platform vulnerabilities (e.g., Apple Image I/O) can amplify attack surfaces for apps like WhatsApp.,Proactive user notification and clear mitigation steps are critical for limiting damage from targeted attacks.Zero-click vulnerabilities in messaging apps remain high-value targets for APT groups.,Cross-platform vulnerabilities (e.g., WhatsApp + Apple OS) amplify attack impact.,Proactive user notifications and remediation guidance are critical for targeted attacks.Centralized messaging platforms face inherent privacy risks when convenience features (e.g., contact discovery) lack abuse protections at scale.,Weak rate limiting can enable mass enumeration attacks, exposing billions of records.,Publicly accessible data (e.g., profile pictures) can become high-risk when combined with other exposed attributes (e.g., phone numbers).,Data breaches have long-term impacts; 50% of phone numbers from a 2021 leak remained active on WhatsApp in 2025.,Facial recognition risks emerge when profile pictures are linked to identifiers like phone numbers.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Audit third-party API access and contact discovery mechanisms for abuse potential., Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Conduct regular red-team exercises to test for large-scale data exposure vectors., Restrict default visibility of profile pictures/status messages and even for 'public' settings..
References
Where can I find more information about each incident ?
Incident : Zero-click exploit WHA810090225
Source: WhatsApp Security Advisory
Incident : Zero-click exploit WHA810090225
Source: Apple Security Update (CVE-2025-43300)
Incident : Zero-click exploit WHA810090225
Source: Amnesty International Security Lab
Incident : Zero-click exploit WHA810090225
Source: Malwarebytes Blog (Mitigation Guidance)
Incident : Zero-day exploit WHA28105328090725
Source: WhatsApp Security Advisory (CVE-2025-55177)
URL: https://www.whatsapp.com/security/advisories/2025
Date Accessed: 2025-09-20
Incident : Zero-day exploit WHA28105328090725
Source: BleepingComputer - WhatsApp patches zero-day used in Paragon spyware attacks
Date Accessed: 2025-09-20
Incident : Zero-day exploit WHA28105328090725
Source: Amnesty International Security Lab Statement
URL: https://www.amnesty.org/en/latest/news/2025/09/whatsapp-spyware-campaign-targets-journalists/
Date Accessed: 2025-09-20
Incident : Zero-day exploit WHA28105328090725
Source: Apple Security Updates (CVE-2025-43300)
URL: https://support.apple.com/en-us/HT214023
Date Accessed: 2025-09-15
Incident : Privacy Violation WHA2002220112025
Source: University of Vienna Security Research Team
Incident : Privacy Violation WHA2002220112025
Source: WhatsApp Security Advisory (2025)
Incident : Privacy Violation WHA2002220112025
Source: Comparison with 2021 Facebook Data Leak
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: WhatsApp Security Advisory, and Source: Apple Security Update (CVE-2025-43300), and Source: Amnesty International Security Lab, and Source: Malwarebytes Blog (Mitigation Guidance), and Source: WhatsApp Security Advisory (CVE-2025-55177)Url: https://www.whatsapp.com/security/advisories/2025Date Accessed: 2025-09-20, and Source: BleepingComputer - WhatsApp patches zero-day used in Paragon spyware attacksUrl: https://www.bleepingcomputer.com/news/security/whatsapp-patches-zero-day-used-in-paragon-spyware-attacks/Date Accessed: 2025-09-20, and Source: Amnesty International Security Lab StatementUrl: https://www.amnesty.org/en/latest/news/2025/09/whatsapp-spyware-campaign-targets-journalists/Date Accessed: 2025-09-20, and Source: Apple Security Updates (CVE-2025-43300)Url: https://support.apple.com/en-us/HT214023Date Accessed: 2025-09-15, and Source: University of Vienna Security Research Team, and Source: WhatsApp Security Advisory (2025), and Source: Comparison with 2021 Facebook Data Leak.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Zero-click exploit WHA810090225
Investigation Status: Ongoing (WhatsApp and Amnesty International collaboration)
Incident : Zero-day exploit WHA28105328090725
Investigation Status: Ongoing (limited details disclosed; collaboration with Apple and third-party researchers)
Incident : Privacy Violation WHA2002220112025
Investigation Status: Completed (Vulnerability patched; research published)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Urging immediate update to patched version, Direct Notifications To Affected Users, Public Advisory Via Blog/Press, Collaboration With Amnesty International For Technical Details, Direct Alerts To Targeted Users, Public Security Advisory, Media Statements and Public disclosure with mitigation details; emphasized end-to-end encryption remains intact.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Zero-click exploit WHA810090225
Stakeholder Advisories: Direct Notifications To Affected Users With Factory Reset Instructions., Public Guidance On Updating Devices And Apps..
Customer Advisories: Factory reset recommendation for potentially compromised devices.Urgent update prompts for WhatsApp and device OS.Security best practices (e.g., enabling advanced protection features).
Incident : Zero-day exploit WHA28105328090725
Stakeholder Advisories: Targeted Users Notified Via In-App Alerts With Remediation Steps., Public Advisory Urging Updates To Whatsapp And Device Os..
Customer Advisories: Factory reset recommended for potentially compromised devices.Keep WhatsApp and device OS updated to latest versions.Monitor for unusual device behavior (indicative of spyware).
Incident : Privacy Violation WHA2002220112025
Stakeholder Advisories: WhatsApp notified users via blog post and in-app notifications about privacy enhancements.
Customer Advisories: Users advised to review privacy settings and limit public profile data.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Direct Notifications To Affected Users With Factory Reset Instructions., Public Guidance On Updating Devices And Apps., Factory Reset Recommendation For Potentially Compromised Devices., Urgent Update Prompts For Whatsapp And Device Os., Security Best Practices (E.G., Enabling Advanced Protection Features)., , Targeted Users Notified Via In-App Alerts With Remediation Steps., Public Advisory Urging Updates To Whatsapp And Device Os., Factory Reset Recommended For Potentially Compromised Devices., Keep Whatsapp And Device Os Updated To Latest Versions., Monitor For Unusual Device Behavior (Indicative Of Spyware)., , WhatsApp notified users via blog post and in-app notifications about privacy enhancements. and Users advised to review privacy settings and limit public profile data..
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Spyware Attack WHA443032025
High Value Targets: Journalists, Civil Society Members,
Data Sold on Dark Web: Journalists, Civil Society Members,
Incident : Zero-click exploit WHA810090225
Entry Point: Malicious WhatsApp message (zero-click)
Backdoors Established: Likely (spyware implantation implied)
High Value Targets: Dozens of specific users (targeted attack)
Data Sold on Dark Web: Dozens of specific users (targeted attack)
Incident : Zero-day exploit WHA28105328090725
Entry Point: Linked device synchronization messages (WhatsApp vulnerability)
Backdoors Established: ['Paragon Graphite spyware (suspected)']
High Value Targets: Journalists, Civil Society Members, Activists,
Data Sold on Dark Web: Journalists, Civil Society Members, Activists,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Leak WHA21136123
Root Causes: Bug in WhatsApp's platform
Incident : Spyware Attack WHA443032025
Root Causes: Zero-Day Vulnerability
Corrective Actions: Server-side fix
Incident : Zero-click exploit WHA810090225
Root Causes: Insufficient Bounds Checking In Apple Image I/O Framework (Cve-2025-43300)., Incomplete Authorization For Whatsapp Linked Device Synchronization (Cve-2025-55177)., Exploit Chaining Enabled Zero-Click Compromise Without User Interaction.,
Corrective Actions: Apple: Tightened Memory Bounds Checking In Image I/O Framework., Whatsapp: Patched Synchronization Message Authorization And Updated Client Apps., User Guidance: Factory Reset And Update Enforcement.,
Incident : Zero-day exploit WHA28105328090725
Root Causes: Incomplete Authorization In Whatsapp'S Linked Device Synchronization., Lack Of User Interaction Requirements For Exploit Execution (Zero-Click)., Cross-Platform Dependency Risks (Whatsapp + Apple Os Vulnerabilities).,
Corrective Actions: Patched Whatsapp Ios/Macos Clients To Version 2.25.21.73+., Enhanced Monitoring For Linked Device Synchronization Abuses., Collaboration With Apple To Address Os-Level Zero-Day (Cve-2025-43300)., Proactive User Notifications For Targeted Individuals.,
Incident : Privacy Violation WHA2002220112025
Root Causes: Inadequate Rate Limiting In Contact Discovery Api, Over-Permissive Access To Public Profile Data (Pictures, Statuses, Timestamps), Lack Of Cardinality-Based Protections Against Bulk Queries, Key Reuse Vulnerability In Android Clients,
Corrective Actions: Deployed Probabilistic Rate Limiting (E.G., Bloom Filters) To Prevent Enumeration., Restricted Public Access To Profile Pictures/Status Messages., Removed Timestamps From Profile Picture Queries To Limit Metadata Exposure., Patched Android Key Reuse Vulnerability., Enhanced Api Monitoring For Abusive Queries.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Amnesty International Security Lab (Investigation), , Amnesty International Security Lab, University Of Toronto'S Citizen Lab, , University of Vienna Security Researchers, Likely (implied by rate-limiting fixes).
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Server-side fix, Apple: Tightened Memory Bounds Checking In Image I/O Framework., Whatsapp: Patched Synchronization Message Authorization And Updated Client Apps., User Guidance: Factory Reset And Update Enforcement., , Patched Whatsapp Ios/Macos Clients To Version 2.25.21.73+., Enhanced Monitoring For Linked Device Synchronization Abuses., Collaboration With Apple To Address Os-Level Zero-Day (Cve-2025-43300)., Proactive User Notifications For Targeted Individuals., , Deployed Probabilistic Rate Limiting (E.G., Bloom Filters) To Prevent Enumeration., Restricted Public Access To Profile Pictures/Status Messages., Removed Timestamps From Profile Picture Queries To Limit Metadata Exposure., Patched Android Key Reuse Vulnerability., Enhanced Api Monitoring For Abusive Queries., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Paragon (suspected)Advanced persistent threat (APT) actors and University of Vienna Security Researchers (Ethical Disclosure).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2024-12-01.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-04-01.
What was the most recent incident resolved ?
Most Recent Incident Resolved: The most recent incident resolved was on 2025-09-20.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Mobile Numbers, , Phone Numbers, , Potential data theft, Messages, Device data (potential full access), , Potential device compromise, Spyware installation (e.g., Graphite), , Phone Numbers (3.5 billion), Public Profile Pictures (77 million from US accounts), Status Messages, Business Account Information, Device Details, Encryption Keys, Timestamps, Facial Recognition Data (66% of profile pictures contained detectable faces) and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was iOS devicesMac devicesAndroid devices (limited scope) and WhatsApp for iOS (<2.25.21.73)WhatsApp Business for iOS (<2.25.21.78)WhatsApp for Mac (<2.25.21.78)Apple iOS/macOS (via CVE-2025-43300) and WhatsApp Contact Discovery APIWhatsApp Android Clients (Key Reuse Vulnerability).
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was amnesty international security lab (investigation), , amnesty international security lab, university of toronto's citizen lab, , University of Vienna Security Researchers.
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were WhatsApp server-side patches to block exploitUser notifications with mitigation steps, Patching vulnerable WhatsApp versions (iOS/macOS)Disrupting Paragon's Graphite spyware campaign and Cardinality-based rate limiting using probabilistic data structuresRestricted access to profile pictures and status messages (even if set to public)Removed timestamps from profile picture queries.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Phone Numbers, Potential device compromise, Device data (potential full access), Public Profile Pictures (77 million from US accounts), Business Account Information, Spyware installation (e.g., Graphite), Mobile Numbers, Status Messages, Device Details, Timestamps, Phone Numbers (3.5 billion), Encryption Keys, Potential data theft, Messages and Facial Recognition Data (66% of profile pictures contained detectable faces).
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 4.1B.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Facial recognition risks emerge when profile pictures are linked to identifiers like phone numbers.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Enhance user education on privacy settings and risks of public profile data., Enable advanced security features (e.g., Google Advanced Protection for Android)., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Expand threat intelligence sharing with civil society organizations (e.g., Citizen Lab, Amnesty International)., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Implement stricter authorization controls for linked device synchronization., Audit third-party API access and contact discovery mechanisms for abuse potential., Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Perform a factory reset if notified by WhatsApp of potential compromise., Enhance collaboration with OS vendors (e.g., Apple) to mitigate cross-platform risks., Conduct regular red-team exercises to test for large-scale data exposure vectors., Accelerate patch deployment for zero-day vulnerabilities in widely used applications., Immediately update WhatsApp and device OS to the latest versions., Restrict default visibility of profile pictures/status messages and even for 'public' settings..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are WhatsApp Security Advisory, Amnesty International Security Lab, WhatsApp Security Advisory (2025), University of Vienna Security Research Team, Malwarebytes Blog (Mitigation Guidance), Comparison with 2021 Facebook Data Leak, Amnesty International Security Lab Statement, BleepingComputer - WhatsApp patches zero-day used in Paragon spyware attacks, WhatsApp Security Advisory (CVE-2025-55177), Apple Security Updates (CVE-2025-43300) and Apple Security Update (CVE-2025-43300).
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.whatsapp.com/security/advisories/2025, https://www.bleepingcomputer.com/news/security/whatsapp-patches-zero-day-used-in-paragon-spyware-attacks/, https://www.amnesty.org/en/latest/news/2025/09/whatsapp-spyware-campaign-targets-journalists/, https://support.apple.com/en-us/HT214023 .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (WhatsApp and Amnesty International collaboration).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Direct notifications to affected users with factory reset instructions., Public guidance on updating devices and apps., Targeted users notified via in-app alerts with remediation steps., Public advisory urging updates to WhatsApp and device OS., WhatsApp notified users via blog post and in-app notifications about privacy enhancements., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Factory reset recommendation for potentially compromised devices.Urgent update prompts for WhatsApp and device OS.Security best practices (e.g., enabling advanced protection features)., Factory reset recommended for potentially compromised devices.Keep WhatsApp and device OS updated to latest versions.Monitor for unusual device behavior (indicative of spyware). and Users advised to review privacy settings and limit public profile data.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Malicious WhatsApp message (zero-click) and Linked device synchronization messages (WhatsApp vulnerability).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Bug in WhatsApp's platform, Zero-Day Vulnerability, Insufficient bounds checking in Apple Image I/O framework (CVE-2025-43300).Incomplete authorization for WhatsApp linked device synchronization (CVE-2025-55177).Exploit chaining enabled zero-click compromise without user interaction., Incomplete authorization in WhatsApp's linked device synchronization.Lack of user interaction requirements for exploit execution (zero-click).Cross-platform dependency risks (WhatsApp + Apple OS vulnerabilities)., Inadequate rate limiting in contact discovery APIOver-permissive access to public profile data (pictures, statuses, timestamps)Lack of cardinality-based protections against bulk queriesKey reuse vulnerability in Android clients.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Server-side fix, Apple: Tightened memory bounds checking in Image I/O framework.WhatsApp: Patched synchronization message authorization and updated client apps.User guidance: Factory reset and update enforcement., Patched WhatsApp iOS/macOS clients to version 2.25.21.73+.Enhanced monitoring for linked device synchronization abuses.Collaboration with Apple to address OS-level zero-day (CVE-2025-43300).Proactive user notifications for targeted individuals., Deployed probabilistic rate limiting (e.g., Bloom filters) to prevent enumeration.Restricted public access to profile pictures/status messages.Removed timestamps from profile picture queries to limit metadata exposure.Patched Android key reuse vulnerability.Enhanced API monitoring for abusive queries..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
- https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
- https://github.com/angular/angular/releases/tag/19.2.16
- https://github.com/angular/angular/releases/tag/20.3.14
- https://github.com/angular/angular/releases/tag/21.0.1
- https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=whatsapp.' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
