Back in the day, the thing that teenagers were doing on the Internet was “anonymously” sharing their deepest, darkest secrets. They shared their secrets to the self-proclaimed “safest place on the Internet” app, Whisper. At its peak in 2014, Whisper was valued over $200 million, had 3 billion-page views per month, and received posts at a rate of 20 per second. Nearly a decade since its debut in the app store in 2012, the results of an investigation sent to The Washington Post found that anyone could easily spill all 900 million of the company’s users’ – both past and present – personal, intimate data if they were to look for it.
Whisper App Security Break Investigation
What rarely crossed people’s minds while using Whisper was just how valuable the data they were sharing could be in the hands of the wrong person or people. Researchers were able to access personal details that included:
- Sexual orientation
- Place of work
- Location data
What wasn’t accessible were the users’ real names and date of birth, but the information listed above would make it easy to identify the user. This would make nefarious attacks like blackmail possible as well as tragic consequences for personal relationships.
The Potential Dangers of a Whisper Breach
Many Whispers revolved around intimate details that were sexual in nature. Through their investigation, cybersecurity consultants Matthew Porter and Dan Ehrlich found that a significant number of users, 1.3 million to be exact, were children that listed their ages as 15. That meant that anyone could look up the age and location coordinates of a child with just a search query.
But in their investigation, the researchers did find that the app had blocked 195,000 accounts for spam and inappropriate content and 40% of the accounts had tried to solicit minors. Whisper used a rating system for a user’s predator potential, but it is unclear how the system worked.
Ehrlich called Whisper’s data management, “grossly negligent,” and said, “This has very much violated the societal and ethical norms we have around the protection of children online.” And as soon as Whisper was notified, access to the data was removed immediately, yet almost 10 years too late.
Although the golden era for the app has long since passed, there are still about 30 million active users, most of which are scams, solicitors, and “thirsty males,” as a review stated for the app on its Google Play listing. But just because it lost its popularity, it doesn’t make its mass collection of personal data lose any value.
After removing access, Whisper said of the security tech break that the extra data was, “a consumer facing feature of the application which users can choose to share or not share” and that it was, “not designed to be queried directly.”
This isn’t the first time that Whisper has been called out for mismanaging personal data. In 2014, it was revealed that MediaLab, which owns the app, was collecting information even if the user opted out. And the Whisper breach reveals that the company hasn’t changed its ways.