Whisper is a secret-sharing app where you can post anonymous messages, but security failures ensured user content and profiles were available for anyone online to view.
The inadvertent data exposure was caused by an open database with no credentials or password protection in place, as reported by the Washington Post.
Independent researchers Matthew Porter and Dan Ehrlich came across the data treasure trove, which contained approximately 900 million records spanning back from the app's launch in 2012 to the present day.
While the records did not include user names, it included nicknames, stated ages, ethnicities, genders, hometowns, group memberships -- some of which are sexual in nature -- and location data tied to posts.
The location information included coordinates from the last post a user has submitted, "which pointed back to specific schools, workplaces, and residential neighborhoods," according to the publication.
Once alerted to the open database, on Monday, Whisper restricted access and plugged the authentication security gap. Federal law enforcement agencies have also been notified.
The secret-sharing app said in a statement that the database was "not designed to be queried directly"; instead, the information contained within was only intended to be public for users within the application.
Whisper came under fire in 2014 after The Guardian revealed how users' locations were being tracked, even if options to disable location monitoring were selected. At the time, over 2.6 million messages were being posted on a daily basis.
Last year, Pen Test Partners researchers found that four dating and sexual encounter mobile apps -- 3Fun, Grindr, Romeo, and Recon -- were leaking the precise location coordinates of users. While 3Fun had some of the "worst security for any dating app we've ever seen," according to the researchers, the remaining three were vulnerable to GPS location exposure through GPS spoofing and trilateration tools.
Previous and related coverage
- Avast AntiTrack certificate bug allowed others to snoop on your online activities
- NordVPN HTTP POST bug exposed customer information, no authentication required
- Backdoor malware is being spread through fake security certificate alerts
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0