The once-popular app Whisper promises a place where you can share secrets anonymously. According to a Washington Post report, however, it left sensitive information that can be tied to users’ confessions exposed to the public for years. Apparently, Whisper kept a non-password-protected database that allowed anyone to freely browse its records. Those records included users’ age, ethnicity, gender, hometown, nickname and membership in groups, which were mostly about sexual confessions and sexual orientation discussions.
Since the database included users’ age, and Whisper was a hit among teens, it would’ve been easy for bad actors to find underage users — especially since the records also contained the location coordinates of their last posts, which pointed to specific schools, neighborhoods and workplaces. WP says it found 1.3 million results when it searched for users aged 15.
In addition, the database didn’t just include details on newer users. Matthew Porter and Dan Ehrlich, cybersecurity consultants from Twelve Security, told the publication that they were able to access almost 900 million user records dating from the time the app was released in 2012.
Lauren Jamar, the VP of content and safety at Whisper’s parent company MediaLab, said the sensitive details in the database represented “a consumer facing feature of the application which users can choose to share or not share.” But the researchers explained that the real problem is that Whisper exposed its users’ data en masse, allowing randos to download it all.
The good news is that the researchers alerted law enforcement officials about the data exposure. Further, Whisper removed access to the data shortly after being notified by the researchers and The Post. This isn’t the first time the service was caught in a security-related controversy, though. Back in 2014, The Guardian reported that it tracked users’ location information even if they opted out and also shared information with the US Department of Defense.