WhatsApp
Company Details
Linkedin ID:
whatsapp.
Website:
Employees number:
3,264
Number of followers:
321,537
NAICS:
5112
Industry Type:
Homepage:
whatsapp.com
IP Addresses:
0
Company ID:
WHA_1162364
Scan Status:
In-progress
WhatsApp Company CyberSecurity Posture
whatsapp.com
WhatsApp is a fast, simple and reliable way to talk to anyone in the world. More than 1.5 billion people across 180+ countries use WhatsApp to stay in touch with friends and family, anytime and anywhere. WhatsApp is not only free but also available on multiple mobile devices and in low connectivity areas — making it accessible and reliable wherever you are. It's a simple and secure way to share your favorite moments, send important information or catch up with a friend. WhatsApp helps people connect and share no matter where they are in the world. For many people in the world WhatsApp is a lifeline. We're looking for engineers, designers, researchers, product managers, technical program managers, customer ops, consumer marketing, and more. Come join our teams and make impact at scale.
WhatsApp A.I CyberSecurity Scoring
WhatsApp Risk Score (AI oriented)Between 650 and 699
WhatsApp
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
WhatsApp Global Score (TPRM)XXXX
WhatsApp
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
WhatsApp Company CyberSecurity News & History
Past Incidents
6
Attack Types
3
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: A well-known hacking community forum was selling a 2022 database of 487 million WhatsApp user mobile numbers. The dataset allegedly contained WhatsApp user data from 84 countries including over 32 million US user records. It also contained another huge chunk of phone numbers belonging to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).
Data Leak
Rankiteo Explanation
Attack limited on finance or reputation
Description: The bug was found on WhatsApp's platform. Phone numbers of crores of users have been published on Google. Mobile numbers of 29,000 to 30,000 users were appearing in text format on Google due to the bug.
WhatsApp (Meta)
Vulnerability
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: WhatsApp disclosed a **zero-click vulnerability (CVE-2025-55177)** in its iOS and macOS apps, exploited in **targeted zero-day attacks** alongside an Apple OS-level flaw (CVE-2025-43300). The flaw allowed attackers to **bypass authorization** and force devices to process malicious content from arbitrary URLs, enabling **spyware deployment** (e.g., Paragon’s *Graphite*). WhatsApp confirmed the attacks were **highly sophisticated**, likely state-sponsored, targeting **journalists, civil society members, and high-profile individuals** over 90 days. While WhatsApp patched the issue and warned affected users, the **malware may persist** on compromised devices, requiring **factory resets**. The attack mirrors a March 2025 incident where WhatsApp disrupted a **Paragon spyware campaign** exploiting a similar zero-day. The **combination of WhatsApp and Apple OS vulnerabilities** suggests **advanced persistent threat (APT) actors** leveraged multi-stage exploits to **infiltrate devices silently**, exfiltrate data, and maintain persistence. No evidence of **mass data breaches** was reported, but the **targeted nature** implies **high-value intelligence gathering**, potentially compromising **sensitive communications, contacts, and device integrity** of victims. Users were urged to update software and reset devices to mitigate risks.
WhatsApp (Meta Platforms, Inc.)
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Security researchers from the University of Vienna exposed a critical **vulnerability** in WhatsApp’s contact discovery mechanism, enabling the enumeration of **3.5 billion phone numbers globally** by exploiting weak rate-limiting protections. The flaw allowed attackers to query **63 billion candidate numbers** across 245 countries, retrieving not just phone numbers but also **public profile pictures (77M from US users, 66% with detectable faces), status messages, business account details, device information, encryption keys, and timestamps**.The breach posed severe risks, particularly in **banned regions** (e.g., 2.3M active accounts in China, 1.6M in Myanmar, 59M in Iran), where users could face **government surveillance or legal repercussions**. Cross-referencing with the **2021 Facebook leak** revealed that **50% of exposed numbers remained active**, highlighting persistent threats like **spam, phishing, and robocalls**. While WhatsApp mitigated the issue post-disclosure (e.g., rate-limiting, restricting profile picture access), the incident underscored systemic privacy risks in centralized platforms, where **convenience features become attack vectors at scale**. End-to-end encryption for messages remained intact, but the **mass exposure of metadata and linked identities** created long-term surveillance and targeting risks.
WhatsApp (Meta)
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: WhatsApp disclosed a zero-click exploit chain targeting specific users by combining a WhatsApp vulnerability (CVE-2025-55177) with an Apple Image I/O framework flaw (CVE-2025-43300). Attackers sent malicious messages to dozens of users, exploiting out-of-bounds memory writes in Apple’s image processing system and unauthorized WhatsApp message synchronization to compromise devices without user interaction. The attack allowed full device takeover, including access to messages, media, and other sensitive data. Affected users were advised to perform a factory reset, though residual malware risks persisted. The exploit leveraged a chained infection vector, primarily impacting iOS and Mac users, with Android devices potentially exposed via separate attack paths. WhatsApp patched the flaw in updates (iOS v2.25.21.73+, Mac v2.25.21.78+), but the incident highlighted the severity of zero-click threats in spyware campaigns, where no user action is required for compromise. Amnesty International linked the attack to advanced surveillance operations, emphasizing the risk to high-profile targets.
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A critical vulnerability identified in WhatsApp for Windows allows attackers to execute arbitrary code by sending seemingly harmless file attachments that exploit the application's handling of MIME types and file extensions. Designated as CVE-2025-30401, the high-severity flaw affects versions up to 2.2450.5 and has been rectified in version 2.2450.6. The spoofing vulnerability could deceive users into interacting with malicious attachments, leading to unauthorized execution of code and potential data theft. This issue also raises concerns in group chats where a single malicious attachment can compromise multiple users. Immediate updating to a patched version is urged.
WhatsApp Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for WhatsApp
Incidents vs Software Development Industry Average (This Year)
WhatsApp has 426.32% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
WhatsApp has 284.62% more incidents than the average of all companies with at least one recorded incident.
Incident Types WhatsApp vs Software Development Industry Avg (This Year)
WhatsApp reported 3 incidents this year: 0 cyber attacks, 0 ransomware, 3 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — WhatsApp (X = Date, Y = Severity)
WhatsApp cyber incidents detection timeline including parent company and subsidiaries
WhatsApp Company Subsidiaries
WhatsApp is a fast, simple and reliable way to talk to anyone in the world. More than 1.5 billion people across 180+ countries use WhatsApp to stay in touch with friends and family, anytime and anywhere. WhatsApp is not only free but also available on multiple mobile devices and in low connectivity areas — making it accessible and reliable wherever you are. It's a simple and secure way to share your favorite moments, send important information or catch up with a friend. WhatsApp helps people connect and share no matter where they are in the world. For many people in the world WhatsApp is a lifeline. We're looking for engineers, designers, researchers, product managers, technical program managers, customer ops, consumer marketing, and more. Come join our teams and make impact at scale.
Loading...
WhatsApp Similar Companies
Nielsen
Nielsen shapes the world’s media and content as a global leader in audience insights, data and analytics. Through our understanding of people and their behaviors across all channels and platforms, we empower our clients with independent and actionable intelligence so they can connect and engage with
Alibaba.com
The first business of Alibaba Group, Alibaba.com (www.alibaba.com) is the leading platform for global wholesale trade serving millions of buyers and suppliers around the world. Through Alibaba.com, small businesses can sell their products to companies in other countries. Sellers on Alibaba.com are t
GlobalLogic
GlobalLogic, a Hitachi Group company, is a trusted partner in design, data, and digital engineering for the world’s largest and most innovative companies. Since our inception in 2000, we have been at the forefront of the digital revolution, helping to create some of the most widely used digital prod
Cisco
Cisco is the worldwide technology leader that is revolutionizing the way organizations connect and protect in the AI era. For more than 40 years, Cisco has securely connected the world. With its industry leading AI-powered solutions and services, Cisco enables its customers, partners and communities
Shopee
Shopee is the leading e-commerce platform in Southeast Asia and Taiwan. It is a platform tailored for the region, providing customers with an easy, secure and fast online shopping experience through strong payment and logistical support. Shopee aims to continually enhance its platform and become th
PayPal
We're championing possibilities for all by making money fast, easy, and more enjoyable. Our hope is unlock opportunities for people in their everyday lives and empower the millions of people and businesses around the world who trust, rely, and use PayPal every day. For support, visit the PayPal He
DiDi
DiDi Global Inc. is a leading mobility technology platform. It offers a wide range of app-based services across Asia Pacific, Latin America, and other global markets, including ride hailing, taxi hailing, designated driving, hitch and other forms of shared mobility as well as certain energy and vehi
Pitney Bowes is a technology-driven products and services company that provides SaaS shipping solutions, mailing innovation, and financial services to clients around the world – including more than 90 percent of the Fortune 500. Small businesses to large enterprises, and government entities rely on
Atlassian powers the collaboration that helps teams accomplish what would otherwise be impossible alone. From space missions and motor racing to bugs in code and IT requests, no task is too large or too small with the right team, the right tools, and the right practices. Over 300,000 global compa
.png)
WhatsApp CyberSecurity News
December 12, 2025 07:02 AM
UK Parliamentarians hit by Spear Phishing Attacks
For the past couple of years, rumors and speculations have swirled around the UK government's concerns about cyberattacks targeting its...
December 08, 2025 02:24 PM
Hackers Can Leverage Delivery Receipts on WhatsApp and Signal to Extract User Private Information
Security researchers have exposed a critical privacy flaw dubbed “Careless Whisper” that lets attackers monitor user activity on WhatsApp...
December 01, 2025 08:00 AM
Why you might get logged out of WhatsApp Web every 6 hours in India
In a move to improve India's cybersecurity, the Centre has rolled out new rules under the Telecommunication Cybersecurity Amendment Rules,...
November 30, 2025 06:32 AM
No WhatsApp without active SIM: India mulls 6-hour logouts to curb misuse, new changes explained
The Indian government mandates WhatsApp accounts to remain linked to active SIM cards to enhance cybersecurity. This move aims to reduce online fraud but...
November 27, 2025 08:00 AM
State-backed spyware attacks are targeting Signal and WhatsApp users, CISA warns
CISA, the US Cybersecurity and Infrastructure Security Agency, has issued a new warning that cybercriminals and state-backed hacking groups...
November 25, 2025 08:00 AM
CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an alert warning of bad actors actively leveraging...
November 25, 2025 08:00 AM
CISA Issues Warning on Commercial Spyware Targeting Signal and WhatsApp Users
commercial spyware - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert warning that multiple cyber.
November 25, 2025 08:00 AM
Hackers Bypass Signal, Telegram And WhatsApp Encryption To Read Messages
How private and secure are your end-to-end encrypted instant messages? Not so much when Sturnus attacks.
November 25, 2025 08:00 AM
CISA warns spyware crews are breaking into Signal and WhatsApp accounts
CISA has warned that state-backed snoops and cyber-mercenaries are actively abusing commercial spyware to break into Signal and WhatsApp...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
WhatsApp CyberSecurity History Information
Official Website of WhatsApp
The official website of WhatsApp is http://www.whatsapp.com.
WhatsApp’s AI-Generated Cybersecurity Score
According to Rankiteo, WhatsApp’s AI-generated cybersecurity score is 686, reflecting their Weak security posture.
How many security badges does WhatsApp’ have ?
According to Rankiteo, WhatsApp currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does WhatsApp have SOC 2 Type 1 certification ?
According to Rankiteo, WhatsApp is not certified under SOC 2 Type 1.
Does WhatsApp have SOC 2 Type 2 certification ?
According to Rankiteo, WhatsApp does not hold a SOC 2 Type 2 certification.
Does WhatsApp comply with GDPR ?
According to Rankiteo, WhatsApp is not listed as GDPR compliant.
Does WhatsApp have PCI DSS certification ?
According to Rankiteo, WhatsApp does not currently maintain PCI DSS compliance.
Does WhatsApp comply with HIPAA ?
According to Rankiteo, WhatsApp is not compliant with HIPAA regulations.
Does WhatsApp have ISO 27001 certification ?
According to Rankiteo,WhatsApp is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of WhatsApp
WhatsApp operates primarily in the Software Development industry.
Number of Employees at WhatsApp
WhatsApp employs approximately 3,264 people worldwide.
Subsidiaries Owned by WhatsApp
WhatsApp presently has no subsidiaries across any sectors.
WhatsApp’s LinkedIn Followers
WhatsApp’s official LinkedIn profile has approximately 321,537 followers.
NAICS Classification of WhatsApp
WhatsApp is classified under the NAICS code 5112, which corresponds to Software Publishers.
WhatsApp’s Presence on Crunchbase
Yes, WhatsApp has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/whatsapp.
WhatsApp’s Presence on LinkedIn
Yes, WhatsApp maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/whatsapp..
Cybersecurity Incidents Involving WhatsApp
As of December 16, 2025, Rankiteo reports that WhatsApp has experienced 6 cybersecurity incidents.
Number of Peer and Competitor Companies
WhatsApp has an estimated 27,783 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at WhatsApp ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability, Data Leak and Breach.
How does WhatsApp detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with patch applied in version 2.2450.6, and communication strategy with urging immediate update to patched version, and and third party assistance with amnesty international security lab (investigation), and containment measures with whatsapp server-side patches to block exploit, containment measures with user notifications with mitigation steps, and remediation measures with whatsapp app updates (ios v2.25.21.73+, mac v2.25.21.78+), remediation measures with apple security updates for image i/o framework, remediation measures with factory reset recommendation for affected users, and recovery measures with device updates (os and whatsapp), recovery measures with security feature enablement (e.g., google advanced protection for android), and communication strategy with direct notifications to affected users, communication strategy with public advisory via blog/press, communication strategy with collaboration with amnesty international for technical details, and and third party assistance with amnesty international security lab, third party assistance with university of toronto's citizen lab, and containment measures with patching vulnerable whatsapp versions (ios/macos), containment measures with disrupting paragon's graphite spyware campaign, and remediation measures with user notifications, remediation measures with factory reset recommendations, remediation measures with os/software update advisories, and communication strategy with direct alerts to targeted users, communication strategy with public security advisory, communication strategy with media statements, and incident response plan activated with yes (collaboration with researchers), and third party assistance with university of vienna security researchers, and containment measures with cardinality-based rate limiting using probabilistic data structures, containment measures with restricted access to profile pictures and status messages (even if set to public), containment measures with removed timestamps from profile picture queries, and remediation measures with fixed key reuse vulnerability in android clients, remediation measures with enhanced api protections against bulk enumeration, and communication strategy with public disclosure with mitigation details; emphasized end-to-end encryption remains intact, and enhanced monitoring with likely (implied by rate-limiting fixes)..
Incident Details
Can you provide details on each incident ?
Title: WhatsApp User Data Breach
Description: A well-known hacking community forum was selling a 2022 database of 487 million WhatsApp user mobile numbers. The dataset allegedly contained WhatsApp user data from 84 countries including over 32 million US user records. It also contained another huge chunk of phone numbers belonging to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).
Type: Data Breach
Attack Vector: Data Exfiltration
Motivation: Financial Gain
Title: WhatsApp Data Leak Incident
Description: A bug on WhatsApp's platform resulted in the phone numbers of millions of users being published on Google. Mobile numbers of approximately 29,000 to 30,000 users were appearing in text format on Google due to the bug.
Type: Data Leak
Attack Vector: Bug in Platform
Vulnerability Exploited: Bug
Title: WhatsApp for Windows Vulnerability
Description: A critical vulnerability identified in WhatsApp for Windows allows attackers to execute arbitrary code by sending seemingly harmless file attachments that exploit the application's handling of MIME types and file extensions. Designated as CVE-2025-30401, the high-severity flaw affects versions up to 2.2450.5 and has been rectified in version 2.2450.6. The spoofing vulnerability could deceive users into interacting with malicious attachments, leading to unauthorized execution of code and potential data theft. This issue also raises concerns in group chats where a single malicious attachment can compromise multiple users. Immediate updating to a patched version is urged.
Type: Vulnerability Exploitation
Attack Vector: File Attachment Spoofing
Vulnerability Exploited: CVE-2025-30401
Title: WhatsApp Zero-Click Exploit Chain Targeting iOS and Android Users via Malicious Messages
Description: WhatsApp patched a vulnerability (CVE-2025-55177) exploited in conjunction with an Apple Image I/O framework vulnerability (CVE-2025-43300) to compromise devices via zero-click attacks. Attackers sent malicious messages to dozens of users, leveraging an out-of-bounds write flaw in Apple’s Image I/O and a WhatsApp synchronization message authorization bypass. Affected users were advised to perform a factory reset and update their devices. The attack targeted both iPhone and Android users, though the most severe zero-click risk applied primarily to Apple devices.
Type: Zero-click exploit
Attack Vector: Malicious message (WhatsApp)Exploit chaining (Apple Image I/O + WhatsApp sync flaw)Zero-click (no user interaction required)
Title: WhatsApp Zero-Day Vulnerability (CVE-2025-55177) Exploited in Targeted Spyware Attacks
Description: WhatsApp patched a zero-click security vulnerability (CVE-2025-55177) in its iOS and macOS clients, exploited in targeted attacks. The flaw, combined with an Apple OS-level zero-day (CVE-2025-43300), enabled sophisticated spyware campaigns. WhatsApp warned select users of potential compromise via advanced spyware (e.g., Paragon's Graphite) and advised factory resets. The attack leveraged incomplete authorization in linked device synchronization to process arbitrary URLs on targets' devices.
Date Publicly Disclosed: 2025-09-20
Date Resolved: 2025-09-20
Type: Zero-day exploit
Attack Vector: Zero-click exploitLinked device synchronization vulnerabilityArbitrary URL processing
Vulnerability Exploited: CVE-2025-55177 (WhatsApp incomplete authorization)CVE-2025-43300 (Apple OS-level zero-day)
Threat Actor: Paragon (suspected)Advanced persistent threat (APT) actors
Motivation: EspionageTargeted surveillance
Title: Critical WhatsApp Vulnerability Exposes 3.5 Billion User Phone Numbers and Profile Data
Description: Security researchers from the University of Vienna uncovered a critical vulnerability in WhatsApp’s contact discovery mechanism, allowing them to enumerate phone numbers of 3.5 billion users worldwide. The flaw stemmed from weak rate-limiting protections, enabling researchers to probe over 100 million phone numbers per hour. Beyond phone numbers, the vulnerability exposed public profile pictures, status messages, business account information, device details, encryption keys, and timestamps. Researchers successfully downloaded 77 million public profile pictures from US accounts, with 66% containing detectable human faces. The data could enable facial recognition-based lookup services, posing risks like spam, phishing, and surveillance—especially in countries where WhatsApp is banned (e.g., 2.3M active accounts in China, 1.6M in Myanmar, 59M in Iran). WhatsApp implemented countermeasures after responsible disclosure, including cardinality-based rate limiting and restricting access to public profile data.
Date Detected: 2024-12-01
Date Publicly Disclosed: 2025-04-01
Date Resolved: 2025-04-01
Type: Privacy Violation
Attack Vector: API AbuseWeak Rate LimitingReverse-Engineered APIs
Vulnerability Exploited: Contact Discovery Mechanism FlawCardinality-Based Rate Limiting BypassKey Reuse Vulnerability (Android)
Threat Actor: University of Vienna Security Researchers (Ethical Disclosure)
Motivation: Academic Research / Responsible Disclosure
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Malicious WhatsApp message (zero-click) and Linked device synchronization messages (WhatsApp vulnerability).
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach WHA2315251122
Data Compromised: Mobile numbers
Incident : Data Leak WHA21136123
Data Compromised: Phone numbers
Incident : Vulnerability Exploitation WHA623040825
Data Compromised: Potential data theft
Systems Affected: WhatsApp for Windows
Incident : Zero-click exploit WHA810090225
Data Compromised: Messages, Device data (potential full access)
Systems Affected: iOS devicesMac devicesAndroid devices (limited scope)
Operational Impact: Potential full device compromise, including spyware installation
Brand Reputation Impact: Moderate (proactive disclosure and mitigation may limit damage)
Identity Theft Risk: High (if spyware installed)
Payment Information Risk: Potential (if device fully compromised)
Incident : Zero-day exploit WHA28105328090725
Data Compromised: Potential device compromise, Spyware installation (e.g., graphite)
Systems Affected: WhatsApp for iOS (<2.25.21.73)WhatsApp Business for iOS (<2.25.21.78)WhatsApp for Mac (<2.25.21.78)Apple iOS/macOS (via CVE-2025-43300)
Operational Impact: User notificationsFactory reset recommendationsOngoing risk of device compromise
Brand Reputation Impact: Potential erosion of trust due to targeted spyware attacks
Identity Theft Risk: ['High (via spyware capabilities)']
Incident : Privacy Violation WHA2002220112025
Data Compromised: Phone numbers (3.5 billion), Public profile pictures (77 million from us accounts), Status messages, Business account information, Device details, Encryption keys, Timestamps, Facial recognition data (66% of profile pictures contained detectable faces)
Systems Affected: WhatsApp Contact Discovery APIWhatsApp Android Clients (Key Reuse Vulnerability)
Operational Impact: High (Potential for spam, phishing, robocalls, and surveillance risks)
Brand Reputation Impact: Moderate (Privacy concerns raised, but proactive mitigation by WhatsApp)
Identity Theft Risk: High (Facial recognition + phone number linkage)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Mobile Numbers, Phone Numbers, , Messages, Device-Stored Data (Potential Full Access), , Device Metadata, Potential Communications (Via Spyware), User Activity, , Phone Numbers, Profile Pictures, Status Messages, Business Account Info, Device Details, Encryption Keys, Timestamps, Facial Recognition Data and .
Which entities were affected by each incident ?
Incident : Data Breach WHA2315251122
Entity Name: WhatsApp
Entity Type: Social Media Platform
Industry: Technology
Location: Global
Customers Affected: 84 countries including over 32 million US user records, 45 million from Egypt, 35 million from Italy, 29 million from Saudi Arabia, 20 million from France, and 20 million from Turkey
Incident : Data Leak WHA21136123
Entity Name: WhatsApp
Entity Type: Company
Industry: Technology
Customers Affected: 30,000 users
Incident : Vulnerability Exploitation WHA623040825
Entity Name: WhatsApp
Entity Type: Application
Industry: Technology
Incident : Zero-click exploit WHA810090225
Entity Name: WhatsApp (Meta)
Entity Type: Messaging platform
Industry: Technology/Social Media
Location: Global
Customers Affected: Dozens of targeted users (exact number undisclosed)
Incident : Zero-click exploit WHA810090225
Entity Name: Apple Inc.
Entity Type: Technology company
Industry: Consumer Electronics/Software
Location: Global
Customers Affected: iOS and Mac users with unpatched devices
Incident : Zero-day exploit WHA28105328090725
Entity Name: WhatsApp (Meta Platforms, Inc.)
Entity Type: Technology company
Industry: Messaging/Communication
Location: Global
Size: Large (2+ billion users)
Customers Affected: Targeted users (journalists, civil society members, high-risk individuals)
Incident : Privacy Violation WHA2002220112025
Entity Name: WhatsApp (Meta Platforms, Inc.)
Entity Type: Messaging Platform
Industry: Technology / Social Media
Location: Global
Size: 3.5 billion users
Customers Affected: 3.5 billion (all users with phone numbers exposed; 77 million US profile pictures downloaded)
Incident : Privacy Violation WHA2002220112025
Entity Name: Users in Restricted Regions
Entity Type: Individuals
Location: China (2.3M accounts)Myanmar (1.6M accounts)Iran (59M accounts)
Customers Affected: 62.9 million (potential surveillance/legal risks)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Vulnerability Exploitation WHA623040825
Remediation Measures: Patch applied in version 2.2450.6
Communication Strategy: Urging immediate update to patched version
Incident : Zero-click exploit WHA810090225
Incident Response Plan Activated: True
Third Party Assistance: Amnesty International Security Lab (Investigation).
Containment Measures: WhatsApp server-side patches to block exploitUser notifications with mitigation steps
Remediation Measures: WhatsApp app updates (iOS v2.25.21.73+, Mac v2.25.21.78+)Apple security updates for Image I/O frameworkFactory reset recommendation for affected users
Recovery Measures: Device updates (OS and WhatsApp)Security feature enablement (e.g., Google Advanced Protection for Android)
Communication Strategy: Direct notifications to affected usersPublic advisory via blog/pressCollaboration with Amnesty International for technical details
Incident : Zero-day exploit WHA28105328090725
Incident Response Plan Activated: True
Third Party Assistance: Amnesty International Security Lab, University Of Toronto'S Citizen Lab.
Containment Measures: Patching vulnerable WhatsApp versions (iOS/macOS)Disrupting Paragon's Graphite spyware campaign
Remediation Measures: User notificationsFactory reset recommendationsOS/software update advisories
Communication Strategy: Direct alerts to targeted usersPublic security advisoryMedia statements
Incident : Privacy Violation WHA2002220112025
Incident Response Plan Activated: Yes (Collaboration with researchers)
Third Party Assistance: University of Vienna Security Researchers
Containment Measures: Cardinality-based rate limiting using probabilistic data structuresRestricted access to profile pictures and status messages (even if set to public)Removed timestamps from profile picture queries
Remediation Measures: Fixed key reuse vulnerability in Android clientsEnhanced API protections against bulk enumeration
Communication Strategy: Public disclosure with mitigation details; emphasized end-to-end encryption remains intact
Enhanced Monitoring: Likely (implied by rate-limiting fixes)
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes (Collaboration with researchers).
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Amnesty International Security Lab (investigation), , Amnesty International Security Lab, University of Toronto's Citizen Lab, , University of Vienna Security Researchers.
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach WHA2315251122
Type of Data Compromised: Mobile Numbers
Number of Records Exposed: 487 million
Incident : Data Leak WHA21136123
Type of Data Compromised: Phone numbers
Number of Records Exposed: 29,000 to 30,000
Incident : Zero-click exploit WHA810090225
Type of Data Compromised: Messages, Device-stored data (potential full access)
Sensitivity of Data: High (personal messages, potentially sensitive device data)
Data Exfiltration: Likely (spyware installation implied)
File Types Exposed: Image files (malicious payload)Potentially all device-stored files
Personally Identifiable Information: High risk (if device compromised)
Incident : Zero-day exploit WHA28105328090725
Type of Data Compromised: Device metadata, Potential communications (via spyware), User activity
Sensitivity of Data: High (spyware capable of exfiltrating sensitive user data)
Incident : Privacy Violation WHA2002220112025
Type of Data Compromised: Phone numbers, Profile pictures, Status messages, Business account info, Device details, Encryption keys, Timestamps, Facial recognition data
Number of Records Exposed: 3.5 billion (phone numbers); 77 million (US profile pictures)
Sensitivity of Data: High (PII + facial recognition risks)
Data Exfiltration: Yes (researchers downloaded data for analysis)
Data Encryption: End-to-end encryption for messages remained intact; encryption keys for accounts were exposed
File Types Exposed: JPEG/PNG (profile pictures)Text (status messages, business info)
Personally Identifiable Information: Yes (phone numbers + facial data)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Patch applied in version 2.2450.6, WhatsApp app updates (iOS v2.25.21.73+, Mac v2.25.21.78+), Apple security updates for Image I/O framework, Factory reset recommendation for affected users, , User notifications, Factory reset recommendations, OS/software update advisories, , Fixed key reuse vulnerability in Android clients, Enhanced API protections against bulk enumeration, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by whatsapp server-side patches to block exploit, user notifications with mitigation steps, , patching vulnerable whatsapp versions (ios/macos), disrupting paragon's graphite spyware campaign, , cardinality-based rate limiting using probabilistic data structures, restricted access to profile pictures and status messages (even if set to public), removed timestamps from profile picture queries and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Zero-day exploit WHA28105328090725
Data Exfiltration: True
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Device updates (OS and WhatsApp), Security feature enablement (e.g., Google Advanced Protection for Android), .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Zero-click exploit WHA810090225
Lessons Learned: Zero-click exploits pose severe risks even to fully patched systems when chained with other vulnerabilities., Cross-platform vulnerabilities (e.g., Apple Image I/O) can amplify attack surfaces for apps like WhatsApp., Proactive user notification and clear mitigation steps are critical for limiting damage from targeted attacks.
Incident : Zero-day exploit WHA28105328090725
Lessons Learned: Zero-click vulnerabilities in messaging apps remain high-value targets for APT groups., Cross-platform vulnerabilities (e.g., WhatsApp + Apple OS) amplify attack impact., Proactive user notifications and remediation guidance are critical for targeted attacks.
Incident : Privacy Violation WHA2002220112025
Lessons Learned: Centralized messaging platforms face inherent privacy risks when convenience features (e.g., contact discovery) lack abuse protections at scale., Weak rate limiting can enable mass enumeration attacks, exposing billions of records., Publicly accessible data (e.g., profile pictures) can become high-risk when combined with other exposed attributes (e.g., phone numbers)., Data breaches have long-term impacts; 50% of phone numbers from a 2021 leak remained active on WhatsApp in 2025., Facial recognition risks emerge when profile pictures are linked to identifiers like phone numbers.
What recommendations were made to prevent future incidents ?
Incident : Zero-click exploit WHA810090225
Recommendations: Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.Immediately update WhatsApp and device OS to the latest versions., Perform a factory reset if notified by WhatsApp of potential compromise., Enable advanced security features (e.g., Google Advanced Protection for Android)., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities.
Incident : Zero-day exploit WHA28105328090725
Recommendations: Implement stricter authorization controls for linked device synchronization., Enhance collaboration with OS vendors (e.g., Apple) to mitigate cross-platform risks., Expand threat intelligence sharing with civil society organizations (e.g., Citizen Lab, Amnesty International)., Accelerate patch deployment for zero-day vulnerabilities in widely used applications.Implement stricter authorization controls for linked device synchronization., Enhance collaboration with OS vendors (e.g., Apple) to mitigate cross-platform risks., Expand threat intelligence sharing with civil society organizations (e.g., Citizen Lab, Amnesty International)., Accelerate patch deployment for zero-day vulnerabilities in widely used applications.Implement stricter authorization controls for linked device synchronization., Enhance collaboration with OS vendors (e.g., Apple) to mitigate cross-platform risks., Expand threat intelligence sharing with civil society organizations (e.g., Citizen Lab, Amnesty International)., Accelerate patch deployment for zero-day vulnerabilities in widely used applications.Implement stricter authorization controls for linked device synchronization., Enhance collaboration with OS vendors (e.g., Apple) to mitigate cross-platform risks., Expand threat intelligence sharing with civil society organizations (e.g., Citizen Lab, Amnesty International)., Accelerate patch deployment for zero-day vulnerabilities in widely used applications.
Incident : Privacy Violation WHA2002220112025
Recommendations: Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Conduct regular red-team exercises to test for large-scale data exposure vectors.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Zero-click exploits pose severe risks even to fully patched systems when chained with other vulnerabilities.,Cross-platform vulnerabilities (e.g., Apple Image I/O) can amplify attack surfaces for apps like WhatsApp.,Proactive user notification and clear mitigation steps are critical for limiting damage from targeted attacks.Zero-click vulnerabilities in messaging apps remain high-value targets for APT groups.,Cross-platform vulnerabilities (e.g., WhatsApp + Apple OS) amplify attack impact.,Proactive user notifications and remediation guidance are critical for targeted attacks.Centralized messaging platforms face inherent privacy risks when convenience features (e.g., contact discovery) lack abuse protections at scale.,Weak rate limiting can enable mass enumeration attacks, exposing billions of records.,Publicly accessible data (e.g., profile pictures) can become high-risk when combined with other exposed attributes (e.g., phone numbers).,Data breaches have long-term impacts; 50% of phone numbers from a 2021 leak remained active on WhatsApp in 2025.,Facial recognition risks emerge when profile pictures are linked to identifiers like phone numbers.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Conduct regular red-team exercises to test for large-scale data exposure vectors., Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Restrict default visibility of profile pictures/status messages, even for 'public' settings. and Audit third-party API access and contact discovery mechanisms for abuse potential..
References
Where can I find more information about each incident ?
Incident : Zero-click exploit WHA810090225
Source: WhatsApp Security Advisory
Incident : Zero-click exploit WHA810090225
Source: Apple Security Update (CVE-2025-43300)
Incident : Zero-click exploit WHA810090225
Source: Amnesty International Security Lab
Incident : Zero-click exploit WHA810090225
Source: Malwarebytes Blog (Mitigation Guidance)
Incident : Zero-day exploit WHA28105328090725
Source: WhatsApp Security Advisory (CVE-2025-55177)
URL: https://www.whatsapp.com/security/advisories/2025
Date Accessed: 2025-09-20
Incident : Zero-day exploit WHA28105328090725
Source: BleepingComputer - WhatsApp patches zero-day used in Paragon spyware attacks
Date Accessed: 2025-09-20
Incident : Zero-day exploit WHA28105328090725
Source: Amnesty International Security Lab Statement
URL: https://www.amnesty.org/en/latest/news/2025/09/whatsapp-spyware-campaign-targets-journalists/
Date Accessed: 2025-09-20
Incident : Zero-day exploit WHA28105328090725
Source: Apple Security Updates (CVE-2025-43300)
URL: https://support.apple.com/en-us/HT214023
Date Accessed: 2025-09-15
Incident : Privacy Violation WHA2002220112025
Source: University of Vienna Security Research Team
Incident : Privacy Violation WHA2002220112025
Source: WhatsApp Security Advisory (2025)
Incident : Privacy Violation WHA2002220112025
Source: Comparison with 2021 Facebook Data Leak
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: WhatsApp Security Advisory, and Source: Apple Security Update (CVE-2025-43300), and Source: Amnesty International Security Lab, and Source: Malwarebytes Blog (Mitigation Guidance), and Source: WhatsApp Security Advisory (CVE-2025-55177)Url: https://www.whatsapp.com/security/advisories/2025Date Accessed: 2025-09-20, and Source: BleepingComputer - WhatsApp patches zero-day used in Paragon spyware attacksUrl: https://www.bleepingcomputer.com/news/security/whatsapp-patches-zero-day-used-in-paragon-spyware-attacks/Date Accessed: 2025-09-20, and Source: Amnesty International Security Lab StatementUrl: https://www.amnesty.org/en/latest/news/2025/09/whatsapp-spyware-campaign-targets-journalists/Date Accessed: 2025-09-20, and Source: Apple Security Updates (CVE-2025-43300)Url: https://support.apple.com/en-us/HT214023Date Accessed: 2025-09-15, and Source: University of Vienna Security Research Team, and Source: WhatsApp Security Advisory (2025), and Source: Comparison with 2021 Facebook Data Leak.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Zero-click exploit WHA810090225
Investigation Status: Ongoing (WhatsApp and Amnesty International collaboration)
Incident : Zero-day exploit WHA28105328090725
Investigation Status: Ongoing (limited details disclosed; collaboration with Apple and third-party researchers)
Incident : Privacy Violation WHA2002220112025
Investigation Status: Completed (Vulnerability patched; research published)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Urging immediate update to patched version, Direct Notifications To Affected Users, Public Advisory Via Blog/Press, Collaboration With Amnesty International For Technical Details, Direct Alerts To Targeted Users, Public Security Advisory, Media Statements and Public disclosure with mitigation details; emphasized end-to-end encryption remains intact.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Zero-click exploit WHA810090225
Stakeholder Advisories: Direct Notifications To Affected Users With Factory Reset Instructions., Public Guidance On Updating Devices And Apps..
Customer Advisories: Factory reset recommendation for potentially compromised devices.Urgent update prompts for WhatsApp and device OS.Security best practices (e.g., enabling advanced protection features).
Incident : Zero-day exploit WHA28105328090725
Stakeholder Advisories: Targeted Users Notified Via In-App Alerts With Remediation Steps., Public Advisory Urging Updates To Whatsapp And Device Os..
Customer Advisories: Factory reset recommended for potentially compromised devices.Keep WhatsApp and device OS updated to latest versions.Monitor for unusual device behavior (indicative of spyware).
Incident : Privacy Violation WHA2002220112025
Stakeholder Advisories: WhatsApp notified users via blog post and in-app notifications about privacy enhancements.
Customer Advisories: Users advised to review privacy settings and limit public profile data.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Direct Notifications To Affected Users With Factory Reset Instructions., Public Guidance On Updating Devices And Apps., Factory Reset Recommendation For Potentially Compromised Devices., Urgent Update Prompts For Whatsapp And Device Os., Security Best Practices (E.G., Enabling Advanced Protection Features)., , Targeted Users Notified Via In-App Alerts With Remediation Steps., Public Advisory Urging Updates To Whatsapp And Device Os., Factory Reset Recommended For Potentially Compromised Devices., Keep Whatsapp And Device Os Updated To Latest Versions., Monitor For Unusual Device Behavior (Indicative Of Spyware)., , WhatsApp notified users via blog post and in-app notifications about privacy enhancements. and Users advised to review privacy settings and limit public profile data..
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Zero-click exploit WHA810090225
Entry Point: Malicious WhatsApp message (zero-click)
Backdoors Established: Likely (spyware implantation implied)
High Value Targets: Dozens of specific users (targeted attack)
Data Sold on Dark Web: Dozens of specific users (targeted attack)
Incident : Zero-day exploit WHA28105328090725
Entry Point: Linked device synchronization messages (WhatsApp vulnerability)
Backdoors Established: ['Paragon Graphite spyware (suspected)']
High Value Targets: Journalists, Civil Society Members, Activists,
Data Sold on Dark Web: Journalists, Civil Society Members, Activists,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Leak WHA21136123
Root Causes: Bug in WhatsApp's platform
Incident : Zero-click exploit WHA810090225
Root Causes: Insufficient Bounds Checking In Apple Image I/O Framework (Cve-2025-43300)., Incomplete Authorization For Whatsapp Linked Device Synchronization (Cve-2025-55177)., Exploit Chaining Enabled Zero-Click Compromise Without User Interaction.,
Corrective Actions: Apple: Tightened Memory Bounds Checking In Image I/O Framework., Whatsapp: Patched Synchronization Message Authorization And Updated Client Apps., User Guidance: Factory Reset And Update Enforcement.,
Incident : Zero-day exploit WHA28105328090725
Root Causes: Incomplete Authorization In Whatsapp'S Linked Device Synchronization., Lack Of User Interaction Requirements For Exploit Execution (Zero-Click)., Cross-Platform Dependency Risks (Whatsapp + Apple Os Vulnerabilities).,
Corrective Actions: Patched Whatsapp Ios/Macos Clients To Version 2.25.21.73+., Enhanced Monitoring For Linked Device Synchronization Abuses., Collaboration With Apple To Address Os-Level Zero-Day (Cve-2025-43300)., Proactive User Notifications For Targeted Individuals.,
Incident : Privacy Violation WHA2002220112025
Root Causes: Inadequate Rate Limiting In Contact Discovery Api, Over-Permissive Access To Public Profile Data (Pictures, Statuses, Timestamps), Lack Of Cardinality-Based Protections Against Bulk Queries, Key Reuse Vulnerability In Android Clients,
Corrective Actions: Deployed Probabilistic Rate Limiting (E.G., Bloom Filters) To Prevent Enumeration., Restricted Public Access To Profile Pictures/Status Messages., Removed Timestamps From Profile Picture Queries To Limit Metadata Exposure., Patched Android Key Reuse Vulnerability., Enhanced Api Monitoring For Abusive Queries.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Amnesty International Security Lab (Investigation), , Amnesty International Security Lab, University Of Toronto'S Citizen Lab, , University of Vienna Security Researchers, Likely (implied by rate-limiting fixes).
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Apple: Tightened Memory Bounds Checking In Image I/O Framework., Whatsapp: Patched Synchronization Message Authorization And Updated Client Apps., User Guidance: Factory Reset And Update Enforcement., , Patched Whatsapp Ios/Macos Clients To Version 2.25.21.73+., Enhanced Monitoring For Linked Device Synchronization Abuses., Collaboration With Apple To Address Os-Level Zero-Day (Cve-2025-43300)., Proactive User Notifications For Targeted Individuals., , Deployed Probabilistic Rate Limiting (E.G., Bloom Filters) To Prevent Enumeration., Restricted Public Access To Profile Pictures/Status Messages., Removed Timestamps From Profile Picture Queries To Limit Metadata Exposure., Patched Android Key Reuse Vulnerability., Enhanced Api Monitoring For Abusive Queries., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Paragon (suspected)Advanced persistent threat (APT) actors and University of Vienna Security Researchers (Ethical Disclosure).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2024-12-01.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-04-01.
What was the most recent incident resolved ?
Most Recent Incident Resolved: The most recent incident resolved was on 2025-09-20.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Mobile Numbers, , Phone Numbers, , Potential data theft, Messages, Device data (potential full access), , Potential device compromise, Spyware installation (e.g., Graphite), , Phone Numbers (3.5 billion), Public Profile Pictures (77 million from US accounts), Status Messages, Business Account Information, Device Details, Encryption Keys, Timestamps, Facial Recognition Data (66% of profile pictures contained detectable faces) and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was iOS devicesMac devicesAndroid devices (limited scope) and WhatsApp for iOS (<2.25.21.73)WhatsApp Business for iOS (<2.25.21.78)WhatsApp for Mac (<2.25.21.78)Apple iOS/macOS (via CVE-2025-43300) and WhatsApp Contact Discovery APIWhatsApp Android Clients (Key Reuse Vulnerability).
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was amnesty international security lab (investigation), , amnesty international security lab, university of toronto's citizen lab, , University of Vienna Security Researchers.
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were WhatsApp server-side patches to block exploitUser notifications with mitigation steps, Patching vulnerable WhatsApp versions (iOS/macOS)Disrupting Paragon's Graphite spyware campaign and Cardinality-based rate limiting using probabilistic data structuresRestricted access to profile pictures and status messages (even if set to public)Removed timestamps from profile picture queries.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Device Details, Potential data theft, Phone Numbers (3.5 billion), Messages, Encryption Keys, Facial Recognition Data (66% of profile pictures contained detectable faces), Spyware installation (e.g., Graphite), Business Account Information, Mobile Numbers, Status Messages, Device data (potential full access), Phone Numbers, Public Profile Pictures (77 million from US accounts), Potential device compromise and Timestamps.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 4.1B.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Facial recognition risks emerge when profile pictures are linked to identifiers like phone numbers.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Conduct regular red-team exercises to test for large-scale data exposure vectors., Implement stricter rate limiting with probabilistic data structures (e.g., Bloom filters) to prevent enumeration attacks., Immediately update WhatsApp and device OS to the latest versions., Expand threat intelligence sharing with civil society organizations (e.g., Citizen Lab, Amnesty International)., Accelerate patch deployment for zero-day vulnerabilities in widely used applications., Enhance collaboration with OS vendors (e.g., Apple) to mitigate cross-platform risks., Implement stricter authorization controls for linked device synchronization., Audit third-party API access and contact discovery mechanisms for abuse potential., Enhance user education on privacy settings and risks of public profile data., Monitor for secondary risks (e.g., phishing, spam) stemming from exposed data., Use mobile security solutions (e.g., Malwarebytes) for additional protection., Restrict default visibility of profile pictures/status messages, even for 'public' settings., Monitor for unusual device behavior (e.g., battery drain, data usage spikes)., Enable advanced security features (e.g., Google Advanced Protection for Android)., Organizations should audit third-party app dependencies (e.g., Image I/O framework) for shared vulnerabilities. and Perform a factory reset if notified by WhatsApp of potential compromise..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are WhatsApp Security Advisory, Malwarebytes Blog (Mitigation Guidance), WhatsApp Security Advisory (2025), BleepingComputer - WhatsApp patches zero-day used in Paragon spyware attacks, Amnesty International Security Lab, Amnesty International Security Lab Statement, Apple Security Update (CVE-2025-43300), Apple Security Updates (CVE-2025-43300), University of Vienna Security Research Team, WhatsApp Security Advisory (CVE-2025-55177) and Comparison with 2021 Facebook Data Leak.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.whatsapp.com/security/advisories/2025, https://www.bleepingcomputer.com/news/security/whatsapp-patches-zero-day-used-in-paragon-spyware-attacks/, https://www.amnesty.org/en/latest/news/2025/09/whatsapp-spyware-campaign-targets-journalists/, https://support.apple.com/en-us/HT214023 .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (WhatsApp and Amnesty International collaboration).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Direct notifications to affected users with factory reset instructions., Public guidance on updating devices and apps., Targeted users notified via in-app alerts with remediation steps., Public advisory urging updates to WhatsApp and device OS., WhatsApp notified users via blog post and in-app notifications about privacy enhancements., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Factory reset recommendation for potentially compromised devices.Urgent update prompts for WhatsApp and device OS.Security best practices (e.g., enabling advanced protection features)., Factory reset recommended for potentially compromised devices.Keep WhatsApp and device OS updated to latest versions.Monitor for unusual device behavior (indicative of spyware). and Users advised to review privacy settings and limit public profile data.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Malicious WhatsApp message (zero-click) and Linked device synchronization messages (WhatsApp vulnerability).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Bug in WhatsApp's platform, Insufficient bounds checking in Apple Image I/O framework (CVE-2025-43300).Incomplete authorization for WhatsApp linked device synchronization (CVE-2025-55177).Exploit chaining enabled zero-click compromise without user interaction., Incomplete authorization in WhatsApp's linked device synchronization.Lack of user interaction requirements for exploit execution (zero-click).Cross-platform dependency risks (WhatsApp + Apple OS vulnerabilities)., Inadequate rate limiting in contact discovery APIOver-permissive access to public profile data (pictures, statuses, timestamps)Lack of cardinality-based protections against bulk queriesKey reuse vulnerability in Android clients.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Apple: Tightened memory bounds checking in Image I/O framework.WhatsApp: Patched synchronization message authorization and updated client apps.User guidance: Factory reset and update enforcement., Patched WhatsApp iOS/macOS clients to version 2.25.21.73+.Enhanced monitoring for linked device synchronization abuses.Collaboration with Apple to address OS-level zero-day (CVE-2025-43300).Proactive user notifications for targeted individuals., Deployed probabilistic rate limiting (e.g., Bloom filters) to prevent enumeration.Restricted public access to profile pictures/status messages.Removed timestamps from profile picture queries to limit metadata exposure.Patched Android key reuse vulnerability.Enhanced API monitoring for abusive queries..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet.
Risk Information
cvss3
Base: 5.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Description
Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.
Risk Information
cvss3
Base: 8.8
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
A security flaw has been discovered in CTCMS Content Management System up to 2.1.2. The impacted element is an unknown function in the library /ctcms/libs/Ct_Config.php of the component Backend System Configuration Module. The manipulation of the argument Cj_Add/Cj_Edit results in code injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited.
Risk Information
cvss2
Base: 5.8
Severity: LOW
AV:N/AC:L/Au:M/C:P/I:P/A:P
cvss3
Base: 4.7
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 5.1
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
A vulnerability was identified in CTCMS Content Management System up to 2.1.2. The affected element is the function Save of the file /ctcms/libs/Ct_App.php of the component Backend App Configuration Module. The manipulation of the argument CT_App_Paytype leads to code injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Risk Information
cvss2
Base: 5.8
Severity: LOW
AV:N/AC:L/Au:M/C:P/I:P/A:P
cvss3
Base: 4.7
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
cvss4
Base: 5.1
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.
Risk Information
cvss4
Base: 1.0
Severity: HIGH
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=whatsapp.' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
