User data from secret-sharing app Whisper was left wide open for years


How many user records were exposed.

The Washington Post


Whisper, an app centered on the anonymous sharing of secrets, left troves of identifiable data markers out in the open until The Washington Post asked the company about it. Twelve Security’s Matthew Porter and Dan Ehrlich were able to view and search data from Whisper users going all the way back to its 2012 launch. They, along with The Post, reached out to federal authorities and the company on Monday, and access to the database was lost.

Not-so secret — The database wasn’t password protected and it was easy to search through the 900 million records, many of which belonged to minors. Though names weren’t part of the records, data like users’ stated age, ethnicity, nicknames, gender, and hometown were exposed.

A user’s most recent post included GPS coordinates that could link back to schools, homes, workplaces, and even military bases. Whisper already got in trouble in 2014 for collecting locations even when users opted out.

“Whisper does not request or store any personally identifiable information from users, therefore there is never a breach of anonymity,” reads a 2014 statement to The Guardian. “From time to time, when a user makes a claim of a newsworthy nature, we review the user’s past activity to help determine veracity.”

Essentially, Whisper can tap into the back-end of its service through geolocation or IP addresses to verify if someone is a college student, military personnel, etc. when a post has the potential for virality. The locations initially covered a broader area, but Twelve Security’s discovery of exact coordinates for recent posts raises the alarm level.

Though not as popular as it once was, Whisper reportedly has 30 million active users a month. All of the exposed data could be downloaded.