The Washington PostDemocracy Dies in Darkness

Secret-sharing app Whisper left users’ locations, fetishes exposed on the Web

Hundreds of millions of users’ intimate messages, tied to their locations, were publicly viewable until after the company was contacted by The Washington Post.

One Whisper user’s account included references to sexual orientation, gender and work at a secure U.S. military missile facility. (David Paul Morris/Bloomberg News)

Whisper, the secret-sharing app that called itself the “safest place on the Internet,” left years of users’ most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or blackmailed.

The data exposure, discovered by independent researchers and shown to The Washington Post, allowed anyone to access all of the location data and other information tied to anonymous “whispers” posted to the popular social app, which has claimed hundreds of millions of users.

The records were viewable on a non-password-protected database open to the public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results.

The cybersecurity consultants Matthew Porter and Dan Ehrlich, who lead the advisory group Twelve Security, said they were able to access nearly 900 million user records from the app’s release in 2012 to the present day.

The Cybersecurity 202: Democrats call for harsher data breach penalties after Equifax settlement

The researchers alerted federal law-enforcement officials and the company to the exposure. Shortly after researchers and The Post contacted the company on Monday, access to the data was removed.

Early Tuesday, the company said in a statement that much of the data was meant to be public to users from within the Whisper app. The database found by the researchers, however, was “not designed to be queried directly,” a company official said.

The exposed records did not include real names but did include a user’s stated age, ethnicity, gender, hometown, nickname and any membership in groups, many of which are devoted to sexual confessions and discussion of sexual orientation and desires.

The data also included the location coordinates of the users’ last submitted post, many of which pointed back to specific schools, workplaces and residential neighborhoods.

“This has very much violated the societal and ethical norms we have around the protection of children online,” said Ehrlich, who also discovered the data leak last year of home-camera company Wyze. He called the company’s actions "grossly negligent.”

Ring and Nest helped normalize American surveillance and turned us into a nation of voyeurs

Lauren Jamar, a vice president of content and safety at Whisper’s parent company, MediaLab, said in a statement that the company strongly disputed their findings. The posts and their ties to locations, ages and other data, she said, represented “a consumer facing feature of the application which users can choose to share or not share.”

The researchers, however, said the ability to download all of the data in bulk — and potentially combine it with other sensitive data sets — represented a huge risk for users’ privacy.

“The big issue here is that they have exposed their users’ data en masse,” said Kyle Olbert, a human rights activist and researcher who reviewed the research.

“This is the difference between a user handing you their business card and Whisper leaking an entire phone book,” he added. “This is the most intimate data laid bare in a massive unprotected database for the entire world to see.”

The app says in promotional materials that it is “the largest online platform where people share real thoughts and feelings … without identities or profiles,” with more than 1 billion anonymous posts. Users are urged to “share secrets” and “express yourself openly and honestly” on the app, which regularly sends smartphone notifications with notes such as, “Get honest. What was the last lie you told?”

The database of posts, called “whispers,” was loaded with sensitive personal confessions. “My son was conceived at a time when I cheated on his father … I just hope he will never find out,” one post read. Another, written by a user who said she was a 16-year-old girl, said, “I really really really really need advice from a mom right now.”

Researchers said they were also able to access any user’s account. The data also showed which messages a user responded to and the time of their last log-in.

Included in the data was a list of hundreds of international military bases, including location coordinates. The feature, Jamar said, allowed users to speak candidly and publicly from such locations. The company had in years past gathered data on posts related to suicide around military installations as part of an undeveloped research proposal for the Defense Department.

How the cloud has opened new doors for hackers

The user data also revealed how the company policed for crimes and misbehavior. About 195,000 accounts were marked as banned for sharing spam or inappropriate content, the data showed. More than 40 percent of those banned accounts were flagged as having solicited minors. This figure, Jamar said, included blanket bans of accounts from questionable Internet addresses.

The app also appeared to rate users on the potential that they were a sexual predator. It’s unclear how the company determined that data point, which is called “predator_probability”; about 9,000 users had a score of 100 percent. Other data points were called “banned_from_messaging” and “banned_from_high_schools.”

The “predator_probability” data point, Jamar said, referred to a company data-science project around predicting whether a user would be banned for sending sexual solicitations, in violation of the app’s rules. “We found it had little success and shelved the project,” Jamar said.

The company gathers users’ confessions into blog posts on the Whisper website, including “My Parents Sent Me to Boarding School Because I Got Pregnant” and “True Life: I Married The Wrong Person.” Data in those posts could be used to identify the users’ location at the time of posting, the researchers said.

Account data could also be used to identify sensitive personal details or locations. One user’s account included group references to sexual orientation, gender and work at a secure U.S. military missile facility. Such information, Jamar added, was “already publicly exposed by the users themselves.”

Hacked documents reveal sensitive details of expanding border surveillance

The app has fallen from its peak popularity and ranks 122nd in social networking in the iPhone app store. The company said 30 million people still interact with the service through social media, the Web and by using the app every month.

Whisper is owned by the Santa Monica, Calif.-based holding company MediaLab, which also owns the messaging app Kik, mix tape service DatPiff and online-exam app CoCo E-Learning.

The company drew heavy criticism in 2014 when the Guardian reported that the company gathered location data on its users, including some who had opted out. Users at the time were posting more than 2 million messages a day.

Don’t sell my data! We finally have a law for that

The company said in a statement then that it “does not follow or track users” and that its internal database is “not publicly accessible.” But the exposed records showed that the company continued to record users’ location coordinates and other data following that controversy.

Beyond the broader invasions of privacy, Ehrlich said the data was “literally the fuel you need to run a secret police,” adding that it could have been weaponized around the world to expose and punish members of vulnerable minority groups based on their sexual orientation, ethnicity, health status or religion.

“No matter what happens from here on out, the data has been exposed for years,” Olbert added. People could “have their lives ruined and their families blackmailed because of this.”