Whisper, once a hugely popular smartphone app where users could anonymously share secrets, left private and sensitive information about hundreds of millions of people in a public database for years.
This is the finding of The Washington Post, which was able to view the database before it was taken offline by Whisper owners MediaLab.
- Microsoft admits exposing 250 millions customer service records
- Millions of Facebook user names and phone numbers exposed by server with no password
- Orvibo data leak: Billions of user records exposed by smart home firm
The database, which had no password and could be accessed by anyone, included users' nicknames as well as their age, gender, ethnicity, location, and information on what groups they were a part of on the app. Many of Whisper's chat groups are about sexual relationships and orientation. The report claims 1.3 million users in the database listed their age as 15.
Once describing itself as "the safest place on the internet", Whisper launched in 2012, is available for iOS and Android, and although not as popular today it had three billion monthly page views by late 2013. Most of its users are aged 18 to 24 and predominantly female.
The app has been around since 2012Whisper
Working with The Washington Post, cybersecurity researchers from Twelve Security said they were able to access almost 900 million user records dating from Whisper's release in 2012 up to the present day. Whisper and law enforcement were contacted soon after, and the data was removed from public view this week.
Whisper said that, while much of the exposed was intended to be viewable by users of the app, it was not supposed to appear openly on the web, and "not designed to be queried directly".
As well as users' hometowns, the data included the GPS coordinates of where each user submitted their most recent post. Many of these were the locations of schools, workplaces and residential neighborhoods, the Post said.
Although Whisper says the data is supposed to be accessible by other users, experts argue that presenting the data in full, and in a way that it could be easily searched, is unacceptable.
Cybersecurity researcher Dan Ehrlich, who was involved with the discovery of the database, told the Post: "This has very much violated the societal and ethical norms we have around the protection of children online."