Whisper app data leak exposes 900 million secret confessions: What to do
Huge trove of salacious data found unprotected online
Back around 2014, there was a smartphone app called Whisper that let you confess your deepest, darkest secrets to a world of total strangers -- no real names allowed, of course. It was delightfully trashy and addictive.
Whisper is still around, although judging by the comments on its Google Play listing page, it's been "totally overrun by literal prostitutes soliciting, thirsty males, and fake spam accounts."
Whisper is back in the news because an unprotected database containing 900 million Whisper posts, and all the metadata related to those posts, was recently found online.
No real names were involved, but according to The Washington Post, which broke the story yesterday (March 10), the data included "a user's stated age, ethnicity, gender, hometown, nickname and any membership in groups."
Many of those groups, the Post noted, are or were "devoted to sexual confessions and discussion of sexual orientation and desires".
- The best encrypted messaging apps: Keep your communications secure
- Best Android antivirus: Make sure your phone is clean
- Update: E3 2020 officially cancelled: So what happens now?
What you can do
If you've got Whisper installed on your iPhone or Android phone, it might be best to just delete it. The app collects "precise location (GPS and network-based)", according to the device permissions listed on its Google Play Store page, which tells Whisper (and any mobile ad networks it runs) exactly where you are.
You can still lurk on Whisper by going to the unintentionally hilarious Whisper website. It's sort of a full-page equivalent of all those trashy ads you see pop up at the bottom of news websites, with topics like "Ladies Confess: I Am Dating A Trust Fund Baby" and "18 People Who Shockingly Lied Under Oath".
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Whisper is owned by Medialab, a holding company that also owns the teen-chat app Kik and the hip-hop-oriented website and social app DatPiff. We've reached out to Medialab for comment and will update this story when we receive a reply.
'Spies' for the Chinese?
The unprotected database was found by Dan Ehrlich and Matthew Porter, researchers from security firm Twelve Security. The exposed Whisper data goes back to 2012, the year Whisper was started.
In two blog postings today (March 11), Ehrlich accused Whisper staffers of being "spies for the Chinese Ministry of State Security" and implies that a lot of the data Whisper collected is being used to blackmail members of the U.S. military.
We have no way to assess the validity of those accusations, but Ehrlich pointed out that The Guardian in 2014 showed that Whisper could tell from GPS coordinates which posts came from military bases, the Pentagon and even the White House.
Precise location collection is not what you want to see in an app devoted to eliciting secret confessions from its users. Ehrlich pointed out that plenty of posts could be traced back to specific schools and offices.
But it's not all that bad
Now for the silver linings. Most of the metadata in the exposed database is and was publicly displayed on the Whisper app. That's kind of the point of the app. The database simply collates it all into an easy-to-search format.
"A search of users who had listed their age as 15 returned 1.3 million results," grimly notes The Post, but that isn't surprising as the app was especially popular among teens during its heyday.
So let's be clear: No real names, no dates of birth. The "nicknames" were the usernames the users created to be able to post, or were assigned randomly by the Whisper app. Likewise, most of the background images on the posts came from Whisper's own image library.
The only real risk of a Whisper post being traced back to you has to do with the precise location data, which might reveal which high school you attended in 2014.
The other upside, if it can be called that, is that there's no evidence that the database was discovered or exploited by anyone before Porter and Ehrlich found it. The database was taken down Monday (March 9) after The Washington Post contacted Whisper, although Ehrlich and Porter said they had also done so earlier.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.