A free secret-sharing app that touted itself as the "safest place on the internet" has exposed millions of intimate messages in a breach that involves several years' worth of data.
Social media app Whisper, which offers people a place in which to post and share photo and video messages anonymously, has attracted over 30 million users since launching in 2012.
Yesterday, the Washington Post reported that the team behind the popular app had stored users' most personal of personal data online in a non-password-protected database accessible to the public.
Whisper users' data found to be free ranging on the net included intimate confessions, fetishes, ages, ethnicities, genders, and location information. Among the viewable data were 1.3 million records involving users who had listed their age as 15.
Geolocation information attached to many users' last submitted post pointed back to specific schools, residential neighborhoods, workplaces, and international military bases, including a secure US military missile facility.
This massive breach of the kind of data blackmailers dream of finding was discovered by independent cybersecurity consultants Matthew Porter and Dan Ehrlich, who tipped off the Post.
What Porter and Ehrlich found confirmed that no one who has ever used Whisper can be confident that their secrets are still safe.
Porter and Ehrlich, who lead the advisory group Twelve Security, told the paper that they were able to access nearly 900 million users' records dating from the app's launch eight years ago right up to the present day.
The pair were also able to access any user's account and view which messages they had responded to and the time of their last login.
Ehrlich described the failure of Whisper to secure users' records as "grossly negligent."
Interestingly, the consultants learned from the breach that Whisper rates its users on the likelihood of their being sexual predators. About 9,000 users had a 100% "predator probability" score.
Federal law enforcement officers were notified of the breach by the two consultants, who also alerted the app's operators to what was going on. Access to the data has now been removed.
In a statement released on Tuesday, team Whisper said the database Porter and Ehrlich stumbled upon was “not designed to be queried directly.”