venmo_logo
  • More than seven million Venmo transactions were acquired through the API and published on GitHub.
  • The users that were exposed are those who haven’t changed their transactions setting to “private”.
  • This is not the first time nor the second that Venmo’s user privacy inadequacy has been exposed.

Computer science student Dan Salmon, proved that scraping millions of Venmo transactions is still possible a year after a Mozilla security researcher has done exactly the same. Venmo is a mobile payment service owned by PayPal, and operating on the Android, iOS, or any web browser. It allows users to link their bank accounts, credit and debit cards, and carry out payments to other users. Venmo promises that the financial data of their users are protected with high-grade encryption, but it has been repeatedly proven that the default user settings are undermining the security layers that are in place.

Last year, the scraping experiment involved the downloading of 207 million transactions, all concerning users that had left their payment details on the “public”, which weirdly, remains the default option to this day. A year after this incident, Dan Salmon tried the path of downloading user transactions through the developer API of Venmo. The public user data that’s accessible through there include full names, business status, user picture, account creation date, transaction history, user id, likes, and more. Accessing all of this information doesn’t require any authentication, and not even the Venmo app itself.

Unfortunately for the non-cautious users who haven’t changed their transactions setting to “Private”, Salmon has published the full dataset of 10.87 GB on his GitHub. The transactions were collected from July to September 2018, October 2018, and from January to February 2019. If you have carried out any transactions through Venmo in the aforementioned periods, then these may have just been leaked. If you want to change your privacy settings to Private, just tap on the “Settings” on the app’s menu, hop to the “Privacy” section, tap on “Past Transactions” and then select “Change All to Private”. This will cover all past transactions, and secure those that will take place in the future.

PayPal has already received the smite of the FTC (Federal Trade Commission) for failing to inform the Venmo users of what they are supposed to do if they want to maintain their privacy. Following an investigation that the FTC carried out in 2018, Venmo has now been placed to a ten-year security auditing program, with third-party organizations reporting on its status every two years. With stories like this surfacing in the news, one has to wonder what the depth and scope of these audits are, as well as why Venmo refuses to take the step to make everything private by default.

Do you use Venmo? Have you changed your transaction settings from public to private? Share your comments with us in the section down below, or join the discussions on our socials, on Facebook and Twitter.