Last year, nearly 210 million Venmo transactions were downloaded by a Berlin-based researcher, leading many privacy experts to question the PayPal-owned company’s claim that its users prefer to be social about their spending habits. In the wake of that study, Venmo apparently made a few changes to its API, hoping to at least limit the speed with which the data could be acquired.
According to a new report, however, these limits have done little to stop researchers from downloading millions of transactions from the public-by-default app. TechCrunch reported on Friday that one computer scientist, Dan Salmon, managed to scrape roughly seven million transactions spanning a six-month period.
Salmon said he was able to download 57,600 transactions per day, even with the new limits in place. (That equates to roughly 40 per minute.)
“I am releasing this dataset in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key,” said Salmon, who published the data on Github. “There is some very valuable data here for any attacker conducting OSINT research.”
He encouraged users to change their privacy settings to prevent their transactions from being scraped by others:
I would highly encourage all users to switch their Venmo account to private by going to Settings > Privacy and selecting “Private” as well as Past Transactions > Change All to Private. Screenshot instructions are available here.
None of this is apparently concerning to PayPal, which believes the social networking aspect of the app is one of the key reasons people use the service. But many users—including nearly two-thirds of Gizmodo staff when I polled our newsroom last year—may not understand that their transactions can be accessed and downloaded by anyone.
“Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this,” PayPal told Gizmodo last July.
Jeremy Gillula, tech policy director for the Electronic Frontier Foundation, told Gizmodo he didn’t buy the company’s response. “I doubt that most Venmo users realize that their transactions can be seen by the entire internet, not just their friends,” he said at the time.
Gillula also said he knew of instances in which a therapist had accepted payments from patients without realizing the payments were public.