The Kaipher Editorial Team 
WhatsApp’s former security head is taking on his old boss in a big way. Attaullah Baig just dropped a bombshell federal lawsuit against Meta, claiming the company repeatedly broke cybersecurity rules and fired him for pointing out massive security problems. The 115-page filing, lodged in San Francisco, paints a damning picture of a company culture he describes as “cult-like”—one that was obsessed with gaining more users, even if it meant sacrificing their safety.
So, what exactly went wrong? Baig, who led WhatsApp’s security from 2021 to 2025, claims a shocking 1,500 engineers had free rein to access user data with virtually no supervision. This could be a direct violation of the $5 billion penalty order Meta received back in 2020. According to the lawsuit, internal tests proved that engineers could easily “move or steal user data”—including your contacts, IP address, and profile pictures—”without detection or audit trail.” Essentially, your private information was allegedly an open book with no way to track who was looking.
The alleged problems didn’t stop at unauthorized access. The complaint lays out a series of other critical security failures. Baig says he found that the company wasn’t properly tracking user data as required by major privacy laws in California and the EU, as well as the terms of its Federal Trade Commission settlement. Even more troubling, the lawsuit accuses Meta’s security team of “fabricating security reports” to hide the fact that they chose not to fix risks that could let data leak out.
Perhaps the most alarming claim for everyday users involves account hacking. The former security chief reported that account takeovers were hitting around 100,000 WhatsApp users every day in 2022. By 2023, that number had surged to a staggering 400,000 users getting locked out of their accounts daily. Despite these widespread breaches, Baig alleges that Meta actively blocked his team from rolling out security fixes that could have solved the problem, reportedly because it put user growth first.
The lawsuit also points to a massive data scraping issue that allegedly allowed bad actors to harvest images and names from roughly 400 million user profiles each year to use for scams and impersonation. Baig says he suggested a simple fix: restrict profile access to make it more secure, similar to how Signal and Apple Messages operate. However, Meta’s leadership supposedly shot down the idea, fearing it would slow down WhatsApp’s expansion.
After flagging these serious issues to top executives, including WhatsApp head Will Cathcart and Meta CEO Mark Zuckerberg, Baig claims he faced increasing pushback. The lawsuit details a pattern of retaliation that included poor performance reviews and verbal warnings, culminating in his firing in February 2025 for what the company called “poor performance.” Before he was let go, Baig had already taken his concerns to federal regulators like the Securities and Exchange Commission.
Meta is firing back, strongly denying all the accusations. Carl Woog, WhatsApp’s vice president of communications, dismissed the lawsuit as “a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims.” The company points out that the Department of Labor’s safety division (OSHA) has already dismissed Baig’s initial complaint, finding no proof of retaliation. Meta is also challenging Baig’s credibility by claiming he was a lower-level engineer, not the head of security.
This explosive case doesn’t exist in a vacuum. It lands as Meta faces intense scrutiny over how it handles data across all its platforms, which serve billions of people worldwide. It also adds another major legal headache for the company, which is still operating under the strict terms of the 2020 Cambridge Analytica settlement—a deal that’s supposed to stay in effect until 2040.
