‘Whisper’ App Left Its Users’ Private Confessions Exposed for Years

Last updated May 18, 2024
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Whisper is a special kind of social networking app available for Android and iOS. It offers users a private platform where they may share their most secret fetishes without revealing their real identities. There are no "user profiles," so the only interaction that can be made between users is through the messages they post, which can contain photos, videos, and text. Right now, there are approximately 250 million individuals from 187 countries using Whisper every month. The problem with the network is that a database containing the private confessions that users made on the platform was misconfigured for public access without password protection.

The discovery was made by two researchers at “Twelve Security,” who were able to access approximately 900 million user records dating as far as back to 2012 when the app was initially released. Thankfully, there were no records revealing the real names of the users, which would straight out unveil their real-life identities. However, there was information related to users' age, ethnicity, gender, hometown, nickname, and their Whisper group memberships. Sure, that should be inadequate in terms of finding out who’s behind a post, but it definitely helps narrow down the possibilities.

Whisper posts are heavily focused on secret sexual desires and fetishes, so if that information were to fall into the wrong hands, users would be at risk of getting blackmailed. The social media owners haven’t admitted that the error was theirs, and while the database was secured following a tip from the researchers, they chose to dispute the findings. Their official statement on the incident came from vice president Lauren Jamar, and affirms that the data was exposed from "a consumer-facing feature of the application which users can choose to share or not share."

The researchers weren’t satisfied with this response and further revealed that the database contained plenty of other sensitive data, such as “predator_probability” scores, 100,000 account bans for “minors solicitation,” and more. Whisper reportedly left this database open for access for eight full years, and they aren’t even admitting that this was a blatant case of gross negligence. This app has been accused of asking way too many permissions, generating geo-location data to accompany each user post, and sharing much of that data with the FBI and MI5. In 2015, researchers at Xipiter proved that they could hack Whisper accounts and access past private messages, but the platform dismissed these reports and characterized them as "fabricated."



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: