Although we have no information that would confirm who's behind the attack, the spyware used is usually sold to governments.
A WhatsApp spokesperson said the company was encouraging people to upgrade to the latest version of the app, "as well as keep their mobile operating system up to date, to protect against potential targeted exploits created to compromise information stored on mobile devices".
Ireland's Data Protection Commission, which supervises Facebook's activities in Europe, said it had been informed of the vulnerability on Monday, adding it was unclear at this stage whether any European Union user data had been affected. Developers believe hackers were able to remotely install surveillance software on people's devices by exploiting a vulnerability in the service.
WhatsApp said it made changes to its infrastructure last week to prevent the attack from happening, and issued an update for its app.
WhatsApp has recently corrected a serious vulnerability that allowed any attacker to install a spyware on the victim's smartphone (Android and iOS) without his knowledge.
The Facebook-owned firm admitted that a weak spot in its app's voice-call software enabled the installation of spyware in dozens of users' phones by an "advanced cyberactor", which may have been a nation state.
Once installed on a phone, the spyware - named Pegasus - can extract virtually all the data that's on a smartphone; whether that be text messages, Global Positioning System location, email, browser history or anything else. The vulnerability was used in an attempted attack on the phone of a UK-based attorney on 12 May.
Here's what WhatsApp users can do following the breach: Even though WhatsApp said it remedied the vulnerability, it's urging users to update their smartphones with the latest version of the WhatsApp app. Researchers at the University of Toronto's Citizen Lab have told the Times a lawyer representing the plaintiffs was targeted with Pegasus through the WhatsApp vulnerability on Sunday.
This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.
Even though Facebook does not directly name the NSO Group, it appears to be the most likely culprit. "NSO would not or could not use its technology in its own right to target any person or organization".
WhatsApp did not comment on the number of users affected or who targeted them, and said it had reported the matter to U.S. authorities.