Whisper, the app that claims to be a safe haven for anonymous secrets, has been leaving its users' data exposed to possible blackmailers and bad actors. Cybersecurity researchers found they could easily access almost 900 million user records that contained intimate secrets and details such as ages, nicknames, locations, sexual orientations, and interests. Although the records kept users anonymous by leaving out real names, researchers were concerned that the sheer amount of details made it possible to identify users of the app.
The data also included information gathered from users as part of the company's side projects. One project, a research proposal for the U.S. Department of Defense that was ultimately never executed, recorded the coordinates of international military bases as the company studied the number of suicide and self-harm mentions that were posted from the locations, according to the Washington Post. Another abandoned project rated some users on the probability they would be kicked off the platform for being sexual predators or exhibiting predatory behavior. The company's representative explained to the reporter that the project was a failure, yet the researchers could still access the stored data.
"The big issue here is that they have exposed their users' data en masse," human rights researcher Kyle Olbert told the Washington Post. Olbert was not part of the cybersecurity team, but took a look at the researchers' findings. "This is the difference between a user handing you their business card and Whisper leaking an entire phone book," he elaborated. "This is the most intimate data laid bare in a massive unprotected database for the entire world to see."
Part of Whisper's 'charm' is the ability to vent secrets and chat with other anonymous users who can relate. "Express yourself openly and honestly," states the app's page in the Google Play store. The 'no consequences' approach to confessing secrets has attracted over 30 million people, according to the company, including at least 1.3 million users who claim to be 15 years old.
"This has very much violated the societal and ethical norms we have around the protection of children online," Dan Ehrlich, lead security consultant in the team, told the Washington Post. The data, which has been left exposed for years, could have been used against vulnerable minority groups or teens with little protection against threats such as blackmail.
By Monday, after the Washington Post contacted Whisper for comment, the security hole was fixed and the data could no longer be accessed by outside actors. Whisper, for its part, disputes the researchers' claims. According to a company official, the data found was meant to be public to people who use the app; it was not intended to be accessed directly from outside. As for the amount of information the company records, Whisper maintains that its users are free to choose how much information they want to share. But the cybersecurity researchers' warnings didn’t stop at the security breach — they also expressed concern over Whisper's blog posts. These posts compile various secrets posted by users, group them by topic, and list them with locations included. Some users have avoided revealing their location by typing 'Somewhere' instead of an actual place, but others show the user's exact town and country of origin. If the secret and location is detailed enough, the researchers cautioned, the user could be identified by other people.
Despite how tempting it might be to let it all out, the data breach has provided even more evidence that privacy and a safe space for secrets aren't guaranteed in the online world. For moments when you really need to vent, consider taking up a pen to do some old-fashioned journaling and keep it in a private location.