A new research study has found that Venmo continues to make it easy for third-parties to scrape users’ public transaction history without their permission.
Dan Salmon, a computer science student at Minnesota State University, has published a new data set of over seven million Venmo transactions on GitHub collected over a six month period.
“I am releasing this dataset in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key,” Salmon wrote on the GitHub page, while warning users to change their privacy settings.
The development comes more than a year after a similar finding by Hang Do Thi Duc, a former Mozilla fellow, unearthed more than 200 million Venmo public transactions.
The peer-to-peer mobile payments service, which has 40 million monthly active users, makes transaction details public by default. This includes usernames, full names, profile pictures, recipient information, and more. It, however, provides you with an option to change the privacy setting for each payment individually.
Venmo has stated it keeps transaction history public by default because it treats them as a social activity. “People open up Venmo to see what their family and friends are up to,” it said last year.
But the PayPal-owned company has done precious little to prevent scenarios that could result in the potential abuse of the public API to scrape users’ transaction details.
If you are using Venmo, you should switch your Venmo account to private by going to Settings > Privacy, and selecting ‘Private’, as well as Past Transactions > Change All to Private.