Whisper is a social media platform and app that’s core focus is to allow its users to anonymously share secrets, often intimate in nature, and chat to people with shared interests.

An investigation by The Washington Post, however, has revealed that Whisper left the information of nearly 900 million users exposed to anyone that wanted to view it, located in a database that wasn’t password protected and was accessible by the public.

The database contained a variety of compromising user details that are tied to each ‘whisper’ (the platform’s name for a post), including sexual orientation, gender, age, ethnicity, nickname, place of work and the location data for the user’s last post.

While the database didn’t contain the real names of any users, the researchers that uncovered it were concerned that the amount of information included could have lead to individuals being uncovered, and even blackmailed given the private nature of the platform.

Obviously this is concerning for any user, but it’s especially troubling considering Whisper allows any user over the age of 13 to sign up. A reporter with the Post found 1.3 million results when searching the database for users that had listed their age as being 15.

Immediately after the researchers had alerted both the company and law enforcement to the database, access to it was blocked. In response, a representative of Whisper told the Post that the extra data tied to posts was “a consumer facing feature of the application which users can choose to share or not share”.

After being found to collect location data on its users in 2014, even if they’d opted out, Whisper stated that it doesn’t follow or track its users and that its database isn’t accessible to the public. The app first launched in 2012 but it’s unclear exactly how many years this database has been exposed to the public for.