Meta lawsuit puts permissions creep in the spotlight

Permissions creep is the silent, unintended growth of access rights inside an organization. Employees switch teams but keep old permissions. Temporary admin privileges never get revoked. Legacy accounts stay active long after they should be disabled. Over time, resource access piles up while no one is watching.

The result is that a single compromised account can open the door to systems and data far beyond what that person should reasonably touch. For attackers, permissions creep is not just an opportunity. It’s an invitation.

Lessons from the Meta lawsuit

The risks became headline news this month when Attaullah Baig, former head of security at WhatsApp, filed a whistleblower lawsuit against parent company Meta. His allegations read like a case study in permissions creep gone unchecked.

According to the complaint, more than 1,500 engineers at Meta had broad, uncontrolled access to sensitive user data. This level of access created systemic insider risk: if even one account was compromised, an attacker could pivot into data troves holding billions of user records, Baig alleged.

The lawsuit also claimed that WhatsApp accounts were being hijacked at a rate of hundreds of thousands per day, and that Meta failed to enforce meaningful restrictions on developer access. To make matters worse, Meta has been under a Federal Trade Commission consent decree since 2020. If the claims hold up, the company wasn’t just cutting corners; it was potentially violating federal orders.

Why Zero Trust is the antidote

Zero Trust is designed to dismantle the very conditions that allow unchecked access to thrive. It replaces implicit trust with continuous verification, ensuring that users can only access  the resources they need, for the time they need them, and nothing more.

The principles are straightforward but powerful:

• Least privilege: Users never receive broader permissions than their role requires.
• Just-in-time administration (JITA): Higher-level rights are granted only temporarily and then revoked automatically.
• Segmentation: Boundaries are defined between applications and data, so even if an account is compromised, the attacker cannot move freely across the network.
• Ringfencing®: Enforces these boundaries at the application level, controlling what software can talk to what, and preventing unauthorized connections between trusted apps and untrusted destinations.

These controls don’t eliminate compromise, but they shrink the blast radius when compromise occurs.

Why enterprises should pay attention

It might be tempting for large organizations to dismiss the Meta lawsuit as someone else’s problem. But permissions creep is not unique to one company—it is a structural risk in every enterprise. With thousands of employees, contractors, and systems in play, access grows fast. Over-permissioned users, orphaned accounts, and standing admin rights can accumulate silently across the environment.

The difference is that enterprises operate under intense scrutiny. Regulatory frameworks, customer expectations, and shareholder confidence all hinge on the ability to prove control over sensitive data. A single permissions-related breach can trigger investigations, fines, and lasting reputational damage.

As John Lilliston, ThreatLocker Detect Product Director, explained: “Permissions creep is inevitable without active intervention. Zero Trust is how you fight back. It assumes compromise will happen and makes sure it can’t spread.”

From creep to control

The Meta lawsuit put permissions creep on the front page, but the story is not really about Meta. It is about the universal reality that access accumulates silently, and if it is not reined in, it becomes the attacker’s greatest advantage.

Zero Trust gives organizations a framework to take that advantage away—one policy, one access control, and one revoked permission at a time.

Access control program checklist

IT operations

• Inventory and classify all user accounts and service accounts monthly, disabling any inactive or unnecessary accounts immediately.
• Establish a baseline practice of enforcing multi-factor authentication (MFA) on all remote access, privileged accounts, and cloud services.
• Audit and remove unneeded administrative privileges, replacing them with “just-in-time” elevation tools or workflows.
• Implement role-based access controls (RBAC) and standardize group memberships, reviewing them quarterly.

GRC and compliance staff

• Establish a formal access review schedule (e.g., quarterly) requiring managers to verify user access against current job functions.
• Document and enforce an access provisioning and deprovisioning procedure, ensuring all access requests are logged and tied to ticketing workflows. Modify these procedures as necessary for employee onboarding, termination, and handling third-parties or contractors.
• Map critical systems and data to required access levels, ensuring any excessive or shared access is flagged for remediation during reviews.

Security architects

• Design a policy baseline where every access request, from users, systems, and applications alike, is authenticated, authorized, and continuously validated.
• Segment access by resource sensitivity (e.g., sensitive data, admin tools, code repos) and enforce stricter policies for higher-risk systems.
• Check for service accounts and disable any that have been inactive for over 60 days. Set up a task to routinely remove old accounts.
• Implement continuous session monitoring to detect anomalous access patterns, with automatic alerts for privileged misuse or lateral movement.

CISOs and security leaders

• Set a “Zero Trust by default” access policy as a company-wide objective, and communicate that access is a privilege, not an entitlement.
• Include access control KPIs in security reporting, such as percentage of accounts with MFA, number of unused privileged accounts removed, or access review completion rates.

Next step: Lock down who can touch your data

Permissions creep affects not just the systems a user can access, but also the individual data files and shares. ThreatLocker® Storage Control lets you set who can access sensitive files, when, and with which applications. Lock down network shares, cloud storage, and USB devices.  

Learn more about Storage Control

‍

‍