Whisper, an anonymous secret-sharing mobile app that rose to prominence more than half a decade ago, has been inadvertently exposing sensitive information about its users for years through a public online database, according to a new report from The Washington Post.

The app, while far from as popular as it was in the few years after its release in 2012, is still used by more than 30 million people a month, some of whom are under the age of 18 and share confessions about teenage sexual encounters and information related to sexual orientation. According to The Post, which was actively able to query the database in real time before Whisper took it down, a search for users who listed themselves as 15 years of age returned as many as 1.3 million results.

The database did not include real names, as Whisper was designed to protect users’ identities and allow them to share secrets anonymously. But the records left unprotected online included information like age, location, ethnicity, residence, in-app nickname, and membership in any of the app’s groups.

The app still has more than 30 million monthly users, some of whom are minors

The records didn’t just include current users, either. According to security researchers Matthew Porter and Dan Ehrlich, who run the firm Twelve Security, the database comprised nearly 900 million user records from the app’s release more than eight years to the present day, The Post reports. Porter and Ehrlich said they notified federal law enforcement of the situation, as well as Whisper, prior to contacting The Washington Post. Only when The Post reached out to Whisper parent company MediaLab was the database made private.

“This has very much violated the societal and ethical norms we have around the protection of children online,” Ehrlich told The Post, adding that MediaLab’s actions here have been “grossly negligent.”

MediaLab is disputing the researchers’ findings, saying the information was meant to be public-facing and provided by the users themselves as a feature of the app. In particular, location sharing was designed to add authenticity to posts in which someone’s location or status, like an active military member, was relevant.

However, MediaLab told The Post the database was “not designed to be queried directly,” and it removed the information as a result. The company has also found itself in hot water in the past over its handling of user data, like in 2014, when it was revealed the company was gathering location data on users without their consent and even if they explicitly opted out. The Post says the exposed database illustrates that MediaLab kept gathering user location data even after the controversy blew over.