Whisper app quietly leaked sensitive personal info on nearly 900 million users

Galaxy S20 Ultra
Galaxy S20 Ultra (Image credit: Andrew Martonik / Android Central)

What you need to know

  • Security researchers discovered a database open to the public for the secret-sharing app Whisper.
  • The database included "whispers" and identifying information such as the user's age, ethnicity, gender, hometown, nickname, group memberships, and location coordinates from their last post.
  • After the researchers contacted Whisper, access to the database was removed.

The Whisper app describes itself as a safe place to share your real thoughts and feelings. For years the app has allowed users to share their deepest darkest secrets anonymously on the web. Unfortunately, researches have recently discovered Whisper left those confessions exposed to the web, along with details that could be used to identify the users.

While the records did not reveal the name of the person, it did include their age, ethnicity, gender, hometown, nickname, and their group memberships. Even more frightening, the data also included the location coordinates from your last post, "many of which pointed back to specific schools, workplaces and residential neighborhoods."

With access to all of this information, it's possible cyber sleuths might be able to identify some users and use their secrets to blackmail or expose them. According to the report from The Washington Post, cybersecurity consultants Matthew Porter and Dan Ehrlich of Twelve Security found an unprotected Whisper database on the web publicly accessible to anyone. One of the reporters was able to browse and search through nearly 900 million user records dating all the way back to 2012.

Whisper App

Source: Play Store (Image credit: Source: Play Store)

To make matters worse, the service hosts information for minors. For example, when filtering the results for users that listed their age as 15, it returned 1.3 million records. Fortunately, the researchers contacted federal law enforcement and the company to alert them of the publicly accessible database, and as of Monday, the data can no longer be accessed.

Whisper has since released statements on the leak, saying the data was meant to be accessible to users via the app but was "not designed to be queried directly." The vice president of Whisper's parent company, Lauren Jamar, also stated that it is "a consumer facing feature of the application which users can choose to share or not share."

However, security researchers point out by leaving open access to the database, it made downloading it in bulk easier and posed a massive security risk.

  • Lol. 900M people who actually thought a start-up was better at securing data than companies with far more eyes on them (and much more to lose in situations like this). This "Messaging App" FAD (where everyone picks a favorite secure messenger and spreads their information around in 10 different places - increases their eAttack Surface) needs to go.
  • Someday, some will learn it is best to keep their thoughts to themselves.
  • Nothing that goes over the internet or lands in the cloud will stay a secret forever.
  • OMG!!!! I'm shocked...shocked I tell ya!!! That an app called Whisper, which allows people to share their "real thoughts and feelings in secret"... would prove to be privacy trap...what are the odds?! Haven't people learned yet that "secret" and "private" on the Net are two of the clearest examples of oxymorons?! I also love that an apparently serious article ends with an ad for the Samsung Galaxy S20...