Seven Million Venmo Transactions Published on GitHub

Written by

Venmo users are being advised to set their accounts to private after a computer science student scraped seven million Venmo transactions, proving that users’ public activity can be easily accessed, according to The Next Web (TNW).

Over a six-month period, Minnesota State University computer science student Dan Salmon, collected a data set, which Salmon exported from MongoDB, of more than seven million Venmo transactions, which he published on GitHub.

“I am releasing this dataset in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key. There is some very valuable data here for any attacker conducting OSINT research,” Salmon wrote.

“I would highly encourage all users to switch their Venmo account to private by going to Settings > Privacy and selecting "Private" as well as Past Transactions > Change All to Private. Screenshot instructions are available here.”

"Transparency may often be used against the legitimate interests of end users. Probably very few of us wish to share all their payment transactions with the rest of the world even if we have nothing to hide. Venmo should explicitly and conspicuously notify all its users that their transactions are accessible by everyone unless they update their settings,” said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.

“[The] developer’s API should be provided only to vetoed, properly verified third parties within a scope of a binding legal agreement capable of protecting users’ privacy regardless of technical flaws one may discover now or in the future,” Kolochenko said.

“Anti-scraping functionality probably requires holistic testing via an open bug bounty program, for example, to spot and remediate as many anti-automation bypasses as possible. This will not provide absolute protection but at least will considerably reduce the efficiency of data-scraping campaigns. Without all these common-sense measures, Venmo may face serious legal ramification and severe monetary penalties in many jurisdictions, let alone disgruntled users and loss of revenue."

In an email to Infosecurity, a Venmo spokesperson said, "Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this. The safety and privacy of Venmo users and their information is always a top priority. 

"Venmo does a number of things to keep our users informed and help them protect and control their privacy, including:

  • "The social newsfeed: When people open the app, the first thing they see is the newsfeed. This is the first step in educating users that Venmo is a social forum and the newsfeed allows you to see what others have chosen to share on Venmo and the experiences that are happening on Venmo.
  • "Users choose what to share: Like on other social apps, Venmo users can choose what they want to share and which audience they share it with. It is very clear in each payment what audience it is being shared with and we have made this even more prominent in recent years."

What’s hot on Infosecurity Magazine?