Nearly 900 million confessions and secrets posted to the app Whisper were left exposed on a non-password-protect database open to the public internet.
Although messages were not tied to real names, ‘a user’s stated age, ethnicity, gender, hometown, nickname and any membership in groups, many of which are devoted to sexual confessions and discussion of sexual orientation and desires’ were visible, according to The Washington Post.
The public was able to browse and search through the records, many of which were posted by children – The Post found 1.3 million results were connected to users who listed their age as just 15 years old.
The database was discovered by the advisory group Twelve Security, which said the personal information tied to the messages was enough ‘to unmask or blackmail’ the user who shared the post.
However, the firm has rejected the findings stating the posts and their ties are ‘a consumer facing feature of the application which users can choose to share or not share.’
Scroll down for video
Nearly 900 million confessions and secrets posted to the app Whisper were left exposed on a non-password-protect database open to the public internet
Matthew Porter and Dan Ehrlich, cybersecurity consultants with Twelve Security, alerted authorities and Whisper of the exposed database and access has been removed as of Monday.
‘No matter what happens from here on out, the data has been exposed for years,’ Olbert said adding that people could ‘have their lives ruined and their families blackmailed because of this.’
Whisper shared a statement on Tuesday saying that much of the data is intended to be visible to users in the app, but the exposed database was ‘not designed to be queried directly.’
‘This has very much violated the societal and ethical norms we have around the protection of children online,’ said Ehrlich, who also discovered the data leak in Wyze that occurred last year.
He also said Whisper’s actions are ‘grossly negligent.’
The exposed bucket has been online for years and contains enough information to unmask the user that shared the post. Whisper encourages people to share their darkest secrets with the promise they stay anonymous
However, Lauren Jamar, vice president of content and safety at Whisper’s parent company MediaLab, has disputed Twelve Security’s discovery, saying posts and their ties are ‘a consumer facing feature of the application which users can choose to share or not share.’
But Porter and Ehrlich are not buying Jamar’s statement, as anyone was able to download the information in bulk, placing users involved at risk of privacy issues.
Whisper deems itself the ‘safest place on the Internet’ with its promotional material stating that it is ‘the largest online platform where people share real thoughts and feelings … without identities or profiles.’
The messages were tied to the user’s location in which they shared the post.
The team was able to see the location for hundreds of military bases around the world and their exact coordinates.
Whisper has rejected the findings stating the posts and their ties are ‘a consumer facing feature of the application which users can choose to share or not share’. Researches who uncovered the database hit back saying the bucket could have been downloaded by anyone, which is a security issue
This information was gathered in part of Whisper’s project in analyzing suicide rates among the military for an undeveloped research proposal with the Defense Department.
This is not the first time Whisper has come under fire, as in 2014 the firm was accused of of monitoring the whereabouts of its users – including some who have specifically requested not to be followed.
There are claims a team at the company is tracking users it thinks are newsworthy – including military personnel, people working at Disney and a ‘sex-obsessed lobbyist’ working in Washington DC.
The claims were made by the Guardian newspaper which suggested Whisper was occasionally sharing information with the US government.
Rejecting any wrongdoing, it told the newspaper that it ‘does not follow or track users’ and said it was false to suggest it was monitoring people without its consent.
However, the Guardiam which gathered this information while vising the company’s headquarters, said Whisper has acknowledged it researched locations of people who they considered were sending out newsworthy messages – adding that this was typically done using GPS data.