An “anonymous” social networking application that lets users share secrets and intimate confessions reportedly left hundreds of millions of user records exposed online.
Cybersecurity experts were able to access up to 900 million records linked to the software, called Whisper, that were being stored in a database without adequate password protection. That’s according to The Washington Post, which reported the trove of sensitive data dated back to 2012.
Whisper, which is available on both iOS and Android, is based around the concept of users uploading posts and photos without having to reveal their real-world identity.
But researchers from Twelve Security, who found the files, warned the data left exposed could possibly do just that, leaving users open to the risk of being revealed.
The vulnerable Whisper records included nicknames, ages, genders, hometowns and information about memberships of groups—many of which were sexual in nature.
Alongside “intimate messages,” the paper reported posts could be tied to location data, and some were successfully traced to schools and workplaces.
One exposed account was reportedly linked to a U.S. military missile facility, while another had the confession: “My son was conceived at a time when I cheated on his father.” A search of the files for users who gave their age as 15 resulted in 1.3 million results, the Post reported.
Whisper, released in 2012, is owned by a California-based holding company called MediaLab. It has been contacted for comment by Newsweek about the alleged cybersecurity incident.
Lauren Jamar, vice president of content and safety at MediaLab, told the Post the data was from “a consumer-facing feature of the application which users can choose to share or not share.” The company reportedly told the paper the database was “not designed to be queried directly.”
The database was reportedly locked down on Monday after being flagged to U.S. law enforcement, with researchers maintaining the incident could have put the privacy of users at risk. It was not immediately clear if anyone other than experts from Twelve Security accessed the records.
The application’s description on the Google Play Store claims that it still has 30 million monthly users. It is listed at #102 in the iOS App Store’s social networking rankings.
It’s not the first time Whisper has been caught up in a privacy scandal. In 2014, The Guardian reported it was logging the location of users, including some who opted out of tracking.
The company initially rejected the accusation but later updated its terms with a line that said the app could record the “broad location of people who have disabled the app’s geolocation feature.”
Whisper said at the time: “Whisper does not request or store any personally identifiable information from users, therefore there is never a breach of anonymity. From time to time, when a user makes a claim of a newsworthy nature, we review the user’s past activity to help determine veracity.”