Millions of Venmo transactions scraped (again)

A year ago, a researcher whipped up a bot to automatically tweet out the profile photos of anybody making drug deals on Venmo.

Or, to be more specific, profile photos and first names of people whose public-by-default Venmo transactions include words such as heroin, marijuana, cocaine, meth or speed; emojis that denote drugs; or non-drug-related words such as sex, porn or hookers. Joel Guerra, the creator of the Who’s buying drugs on Venmo? bot, got the idea after seeing Venmo’s API publicly posted to Twitter.

He built on the work of researcher Hang Do Thi Duc, who had analyzed a year’s worth of data from Venmo’s public API to find out what people are buying, who they’re sending money to, why they’re sending money, first and last names, profile pictures, times of the transactions, messages attached to the transactions, and more.

Using 207,984,218 transactions, she chronicled Venmo users’ lives: everything from cannabis sales to budding romances, to breakups, to how much pizza they ate and how much Coke they bought to wash it down.

Here it is, one year later, and little has changed. After last year’s privacy kerfuffle, all Venmo did was slow down the rate that data can be scraped and remove a warning it used to show users when they switched their default privacy settings from public to private…

…which, if you haven’t done yet, we urge you to do (here’s how), considering that a) why would you want your financial transactions to be public in the first place? and b) yet another data scraper has squeezed and publicly posted another ~7 million transactions out of Venmo.

On Friday, TechCrunch reported that computer scientist Dan Salmon had scraped those transactions, which occurred over a six-month period.

Salmon, who published the data on GitHub, said that he did it to let Venmo users know that their dirty laundry’s hanging on the line for everybody to see, and grab, and make use of for whatever purposes for which people use publicly available data:

I am releasing this dataset in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key. There is some very valuable data here for any attacker conducting OSINT [open-source intelligence] research.

Salmon is about the umpteenth person to sound the alarm over Venmo’s approach to privacy. Dan Gorelick did so back in 2016, explaining how to open up the Chrome dev console to watch Venmo dynamically load live data… live data that he figured out how to trace to user transactions.

As TechCrunch notes, since then, other researchers, such as Johnny Xmas, have said that Venmo restricted its API to limit the historical data that can be collected. It can’t have throttled things much, though, given that its most recent limits still allowed Salmon to access 40 transactions per minute: what Salmon reportedly calculated to be about 57,600 scraped transactions each day.

What to do?

Salmon is “highly” encouraging Venmo users to switch their accounts to private, and we here at Naked Security agree. Go to Settings > Privacy and select “Private” as well as Past Transactions > Change All to Private. You can see the instructions in screenshot form here.