Whisper app quietly leaked sensitive personal info on nearly 900 million users

Galaxy S20 Ultra
Galaxy S20 Ultra (Image credit: Andrew Martonik / Android Central)

What you need to know

  • Security researchers discovered a database open to the public for the secret-sharing app Whisper.
  • The database included "whispers" and identifying information such as the user's age, ethnicity, gender, hometown, nickname, group memberships, and location coordinates from their last post.
  • After the researchers contacted Whisper, access to the database was removed.

The Whisper app describes itself as a safe place to share your real thoughts and feelings. For years the app has allowed users to share their deepest darkest secrets anonymously on the web. Unfortunately, researches have recently discovered Whisper left those confessions exposed to the web, along with details that could be used to identify the users.

While the records did not reveal the name of the person, it did include their age, ethnicity, gender, hometown, nickname, and their group memberships. Even more frightening, the data also included the location coordinates from your last post, "many of which pointed back to specific schools, workplaces and residential neighborhoods."

With access to all of this information, it's possible cyber sleuths might be able to identify some users and use their secrets to blackmail or expose them. According to the report from The Washington Post, cybersecurity consultants Matthew Porter and Dan Ehrlich of Twelve Security found an unprotected Whisper database on the web publicly accessible to anyone. One of the reporters was able to browse and search through nearly 900 million user records dating all the way back to 2012.

Whisper App

Source: Play Store (Image credit: Source: Play Store)

To make matters worse, the service hosts information for minors. For example, when filtering the results for users that listed their age as 15, it returned 1.3 million records. Fortunately, the researchers contacted federal law enforcement and the company to alert them of the publicly accessible database, and as of Monday, the data can no longer be accessed.

Whisper has since released statements on the leak, saying the data was meant to be accessible to users via the app but was "not designed to be queried directly." The vice president of Whisper's parent company, Lauren Jamar, also stated that it is "a consumer facing feature of the application which users can choose to share or not share."

However, security researchers point out by leaving open access to the database, it made downloading it in bulk easier and posed a massive security risk.

Jason England