- WhatsApp was hacked, exposing a “serious security vulnerability” first reported on by the Financial Times on Monday.
- More than 12 hours after the story broke, Facebook has not blogged about the issue or notified users directly that WhatsApp needs to be updated.
- It brings to mind Facebook’s catastrophic response to the Cambridge Analytica data breach, when CEO Mark Zuckerberg was not seen for five days.
- The WhatsApp hack shows your data is still vulnerable to bad actors. And Facebook is still slow to talk to its users when bad things happen to that data.
- Visit BusinessInsider.com for more stories.
“Simple. Personal. Secure.”
That’s the tagline that sits next to WhatsApp on the Google Play Store. But in the past 24 hours, the final word in that promotional message has been challenged by a sophisticated hack.
A simple missed call on WhatsApp from any bad actor using software created by NSO, a company that creates surveillance products used by some repressive governments, could have exposed your phone to spyware that would have collected information such as your private messages and location data.
It has been described as a “serious security vulnerability” by the Irish Data Protection Commission – one that will require further investigation to establish whether any of WhatsApp’s 1.5 billion users have been affected.
Now, you would think in Facebook’s new era of transparency, the company would be straining to let users know about the attack and how to protect themselves. Not quite.
Facebook has known about the hack since early May. And while it seems sensible that it work to fix the vulnerability before revealing it to the world, the firm appeared ill-prepared for it to go public.
The public found out about the hack by the Financial Times, days after Facebook began rolling out a fix for the issue to iPhone, Android, and Windows phone users. The update mentions nothing about security.
“It’s now easier to start group voice and video calls,” it says on Android. “Just tap the call button in groups or select ‘New group call’ when starting a new call in the call tabs. Group calls support up to 4 participants.”
On Apple, it says: “You can now see stickers in full size when you long press a notification.”
Facebook provided the British newspaper and others, including Business Insider, with a statement acknowledging the incident and urging users to update WhatsApp. There’s also an opaque security message on Facebook.
But where is the direct notification sent to WhatsApp users telling them that their data may have been compromised? Where’s the direct prompt to update the app? Where is the blog post outlining the issue? Where’s the advice to worried users?
- Christian Wiediger/Unsplash
If you had not seen the news, you would still be in the dark – and still theoretically vulnerable to attack from the bad actors planning a smash-and-grab on your data.
And I’m not the only one who has noted Facebook’s wall of silence when it comes to notifying its users of the issue directly. “We believe WhatsApp needs to be much more transparent,” a Privacy International spokesman told us. “We haven’t seen a notification on the app itself that would inform users about both, the bug, and the fix.”
I have asked Facebook why it has not communicated the issue directly to users. It has not responded to my question.
It brings to mind Facebook’s catastrophic response to the Cambridge Analytica data breach last year, when CEO Mark Zuckerberg was not seen for five days. In the apology tour that followed, he repeated platitudes about openness and transparency, and there’s no doubt Facebook has improved.
But to not say a word to users about a serious hack more than 12 hours after it makes its way into the public domain shows that Facebook has still not yet fully learned from its mistakes.
And what’s worse, it strikes right at the heart of Zuckerberg’s vision for his company. WhatsApp is the centerpiece in his strategy to make Facebook a more private place by building out end-to-end encryption.
But the WhatsApp hack shows your data is still vulnerable in Facebook’s hands. And Facebook is still reluctant to come clean when bad things happen to that data.