What happened
Telegram founder Pavel Durov publicly criticized WhatsApp’s “end-to-end encryption by default” claims, calling them misleading and alleging that user messages may still be exposed through cloud backups.
Who is affected
The issue potentially impacts WhatsApp’s billions of global users, particularly those relying on default settings that may store chat backups on third-party cloud services like iCloud or Google Drive.
Why CISOs should care
The controversy highlights a critical gap between encryption in transit and data exposure at rest. While WhatsApp uses end-to-end encryption for messages, backups stored in the cloud may not be encrypted by default, creating a potential attack surface for credential theft, misconfigurations, or legal access requests.
It also underscores a broader enterprise risk: employees often assume consumer-grade messaging apps are fully secure, when in reality, optional settings and user behavior can weaken protections. This disconnect can expose sensitive business communications outside corporate security controls.
3 practical actions
- Audit employee use of messaging apps and enforce policies around secure communication channels.
- Require encrypted backups or disable cloud backups for sensitive conversations.
- Educate users on the difference between encryption in transit and data stored in the cloud.