TL;DR: WhatsApp rolled out “Strict Account Settings” on January 28, 2026: a single toggle that locks down your last seen, profile photo, group invites, link previews, unknown callers, and more. It also forces two-step verification on. Meta says it’s for “journalists or public-facing figures” who face sophisticated attacks, but anyone can turn it on. The feature launched three days after a lawsuit accused Meta of lying about WhatsApp’s encryption. Meta calls the lawsuit “frivolous.” Elon Musk says WhatsApp isn’t secure. Telegram’s CEO called anyone who trusts it “braindead.” WhatsApp’s head fired back. It’s been a week.

What Strict Account Settings Actually Changes

Here’s what flipping one toggle does to your WhatsApp account:

  • Last seen and online status: Restricted to contacts only. Strangers can’t see when you’re active.
  • Profile photo: Hidden from non-contacts.
  • About info: Hidden from non-contacts.
  • Group invites: Only your contacts can add you to groups. No more random group spam.
  • Link previews: Disabled entirely. Links you send won’t generate preview cards. This prevents metadata leaks to link preview servers.
  • Unknown callers: Silenced. Calls from numbers not in your contacts won’t ring your phone.
  • Unknown media: Attachments and media from unknown senders are blocked automatically.
  • High-volume unknown messages: Bulk messages from unknown numbers are filtered out.
  • Two-step verification: Forced on. You’ll need a PIN in addition to SMS verification.
  • Security code change notifications: Enabled. You’ll get an alert if someone’s encryption key changes, a potential sign of a man-in-the-middle attack or device swap.

You can still customize individual settings after enabling the mode. Turning on Strict Account Settings doesn’t lock you out of granular control. It just sets everything to the most restrictive default.[1]

How to Turn It On

Go to Settings > Privacy > Advanced on iOS or Android.

One catch: you can only toggle this from your primary phone. WhatsApp Web, Windows, and other linked devices can’t change the setting. That’s intentional: if someone compromises a linked device, they can’t downgrade your security remotely.[2]

The feature is rolling out globally over the next few weeks. If you don’t see it yet, check back.

Who Actually Needs This

Meta says Strict Account Settings is built for “journalists or public-facing figures” facing “rare and highly sophisticated cyberattacks.”[3]

That tracks. If you’re a journalist covering authoritarian governments, a dissident in exile, or a human rights researcher, your WhatsApp is a target. We’ve covered how ICE bought Paragon’s Graphite spyware that reads WhatsApp messages with zero-click exploits. Lockdown modes help reduce your attack surface when people are actively trying to compromise you.

But here’s the thing: there’s no reason the rest of us shouldn’t use it too.

Most of these settings are things privacy-conscious users set manually years ago. WhatsApp just bundled them into a single switch. If you’ve been meaning to lock down your account but never got around to digging through menus, this does it for you.

John Scott-Railton, a researcher at Citizen Lab who helps defend civil society figures from state-sponsored hacking, called it “a very welcome development.” He added: “My hope is that others follow suit.”[4]

Following Apple’s Playbook

This isn’t a new idea. Apple launched Lockdown Mode in September 2022, disabling features like link previews in Messages, FaceTime calls from unknown contacts, and complex web browsing features. Google followed with Advanced Protection Mode for Android in 2025.

WhatsApp’s version is narrower: it only affects the messaging app, not the whole device. But the principle is the same: accept some inconvenience in exchange for a smaller target.

The difference is that Apple and Google are locking down entire operating systems. Meta is locking down one app, the one that 2 billion people use to communicate. When your messaging app is the single most common target for mercenary spyware, a lockdown toggle makes sense.[3]

The Timing Is... Something

Three days before Strict Account Settings dropped, an international group of plaintiffs sued Meta in San Francisco federal court. Their claim: WhatsApp’s end-to-end encryption is a lie.[5]

The 51-page complaint cites unnamed “whistleblowers” who say Meta engineers can bypass encryption by sending internal “tasks” through company systems. Once approved, the complaint alleges, a widget becomes available letting staff read user messages. The plaintiffs come from Australia, Brazil, India, Mexico, and South Africa.[6]

Meta’s response was unambiguous. Spokesperson Andy Stone called it “a frivolous work of fiction” and said the company will “pursue sanctions against plaintiffs’ counsel.” He stated: “WhatsApp has been end-to-end encrypted using the Signal protocol for a decade.”[5]

WhatsApp head Will Cathcart went further, pointing out that the lawyers behind the lawsuit previously defended NSO Group, the company whose Pegasus spyware was used to target journalists and government officials through WhatsApp itself.[7]

Is the lawsuit credible? The legal theory is aggressive and the sourcing is anonymous. But the timing created a PR problem that Strict Account Settings conveniently addresses. Accused of not caring about user privacy? Here’s a big shiny security toggle.

Musk, Durov, and the Security Wars

Because nothing stays quiet in tech for long, Elon Musk jumped on the lawsuit news to declare WhatsApp “not secure,” adding that even Signal was “questionable.”[8]

Telegram CEO Pavel Durov piled on, posting that you’d have to be “braindead to believe WhatsApp is secure in 2026.”[8]

Cathcart fired back at both. Musk owns X, which doesn’t offer end-to-end encryption for direct messages at all. Telegram only encrypts “secret chats” end-to-end. Regular Telegram messages sit on servers in plaintext where Telegram can read them. And both platforms had their own security incidents in 2025.

None of these billionaires are your friends when it comes to privacy. But the public brawl is useful: it forces all of them to compete on security features. WhatsApp’s lockdown toggle exists partly because competitors are breathing down its neck.

The Under-the-Hood Upgrade

Buried in the same announcement: Meta replaced WhatsApp’s legacy C++ media processing library with one written in Rust. The company said the new code is “smaller, safer, and easier to maintain” and proves that “Rust is production ready at a global scale.”[1]

This matters more than the shiny toggle, honestly. C++ memory safety bugs are how spyware like Pegasus and Graphite get in: buffer overflows, use-after-free vulnerabilities, that sort of thing. Rust eliminates entire categories of those bugs by design. Replacing the media library (the component that processes every image, video, and voice note you receive) with Rust code closes some of the most common attack vectors.

It’s not as marketable as a “lockdown mode” button. But it’s arguably better security.

What This Doesn’t Fix

Strict Account Settings makes you harder to target through WhatsApp’s own features. It does not:

  • Protect against zero-click exploits. Spyware like Pegasus and Graphite attack the operating system, not WhatsApp’s settings. Lockdown mode won’t stop a government-grade exploit.
  • Stop Meta from collecting metadata. Who you message, when, how often, and from what IP address: none of that changes. Message content stays encrypted. But metadata tells a story all by itself.
  • Make WhatsApp as private as Signal. Signal collects virtually no metadata. WhatsApp collects plenty. That’s a fundamental architectural difference no toggle can fix.
  • Address the lawsuit claims. If Meta engineers can somehow bypass encryption (and that’s a massive if) a user-facing toggle doesn’t change backend access.

This feature is harm reduction, not a cure. It narrows the attack surface for social engineering, spam, and opportunistic attacks. For state-level threats, you need device-level protections too: Apple Lockdown Mode, up-to-date OS patches, and ideally a separate device for sensitive communications.

What You Should Do

Turn It On

Go to Settings > Privacy > Advanced and enable Strict Account Settings when it appears. The trade-offs are minor (no link previews, silenced unknown callers) and the protections are real.

Enable Two-Step Verification Anyway

Don’t wait for Strict Account Settings to roll out to you. Go to Settings > Account > Two-step verification and turn it on now. This is the single most important WhatsApp security setting.

Check Linked Devices

Go to Settings > Linked Devices and review what’s connected. Remove anything you don’t recognize. Linked devices are a common persistence mechanism for compromised accounts.

Consider Signal for Sensitive Conversations

WhatsApp encrypts message content. Signal encrypts content and minimizes metadata. For genuinely sensitive communications (source conversations, legal discussions, activist coordination) Signal remains the better choice.

The Bottom Line

WhatsApp’s Strict Account Settings is a genuinely useful feature wrapped in suspiciously convenient timing. Launched on Data Privacy Day, three days after an encryption lawsuit, during a public spat with Elon Musk and Pavel Durov. If you’re cynical, it’s a PR move. If you’re practical, it’s still a free security upgrade.

Turn it on. Then remember that no single toggle makes a messaging app owned by an advertising company into a privacy tool. Use the lockdown mode. Use two-step verification. Use Signal when it matters. And don’t let any tech CEO (Zuckerberg, Musk, or Durov) tell you they’re the good guy.

References

  1. The Register: WhatsApp Adds One-Toggle Privacy Lockdown Mode (January 27, 2026)
  2. Business Standard: WhatsApp Introduces Strict Account Settings Security Feature (January 28, 2026)
  3. Engadget: WhatsApp Introduces an Advanced Security Mode to Protect Against Hackers (January 2026)
  4. Yahoo Tech: WhatsApp Is Rolling Out a New Stricter Security Setting (January 2026)
  5. Bloomberg via Yahoo Finance: Lawsuit Claims Meta Can See WhatsApp Chats in Breach of Privacy (January 25, 2026)
  6. Arise News: Lawsuit Accuses Meta of Accessing Private WhatsApp Chats Despite Encryption Claims (January 2026)
  7. BusinessToday: Elon Musk Says WhatsApp Not Secure as Lawsuit Questions Encryption (January 27, 2026)
  8. India TV News: Elon Musk Sparks Privacy Debate Over WhatsApp Security (January 27, 2026)