Updated, 7/30/2018, 10am PT:
Mozilla has started an email campaign urging its subscribers to sign a petition (opens in new tab) to Venmo "to change their defaults to private and send a message to other financial institutions looking at Venmo that there are consequences to not taking privacy seriously." Mozilla said Venmo has already quietly restricted access to its bulk API, but argued that more needs to be done to make sure financial transactions are private.
Original article, 7/18/2018, 11:22am PT:
If capitalism has taught us anything, it's that your identity is hopelessly entangled with how you spend your money. A researcher named Hang Do Thi Duc has discovered that this sentiment is particularly true on Venmo, because the PayPal-owned payment service's decision to make transactions public by default has revealed a surprising amount of information about some of its 7 million users, likely without their knowledge.
Venmo is essentially cash for the smartphone age. People use it to send others money, shop at certain stores, pay their rent and conduct other common monetary transactions. The primary difference is that they don't have to make a trip to the ATM or hope someone has a credit card machine. Transferring money through Venmo is like sending a message--and many transactions do indeed use text messages as receipts.
Do Thi Duc used Venmo's public API to access hundreds of thousands of transactions. The result offered quite detailed glimpses into people's lives--Do Thi Duc was able to track when a drug dealer brought on an employee, for example, or eavesdrop on a romantic couple's messages. In many cases, someone could also use this information to determine Venmo users' ethnicities, spending habits on the platform and general location.
Anyone can access this information because although Venmo offers options to make payments visible to only your Venmo friends or participating parties, default settings make payments public. It seems many users haven't taken the extra step to make their payments private.
Do Thi Duc said 207,984,218 transactions were carried out on the Venmo platform in 2017. She analyzed all of these payments to peer into the lives of five Venmo users and summarized their stories in a website called Public By Default. The effect is surreal; it's all too easy to fill in the blanks about someone's life based solely on their Venmo transactions. (And that's even after Do Thi Duc redacted some of the information, such as the users' last names or their Facebook IDs, in an attempt to preserve what remains of their privacy.)
This doesn't technically qualify as a leak. Do Thi Duc used a long-running API to access information that's been available to developers for years. But the research--and its presentation on the Public By Default website--makes it clear just how much people can learn about Venmo users. It's often problematic when any user activity is public by default, but showing a portion of people's financial history makes this all the worse.
Do Thi Duc offered a quick guide to updating Venmo's privacy settings to disable this kind of information exposure on the Public By Default site. The good news is that this setting is retroactively applied to previous transactions, too, so it's not too late to hide some of your more embarrassing (or incriminating) spending. Just remember to make sure a company isn't exposing your data the next time you use a new service.