A computer science student scraped seven million Venmo transactions to warn users that their public activity can still be stolen.
Dan Salmon said he scraped the transactions over the course of six months to prove to users that they need to set their Venmo payments to private. Venmo payments between users are set to public by default.
The move comes a year after privacy researcher Hang Do Thi Duc downloaded 207 million Venmo transactions to prove a similar point.
“There’s truly no reason to have this API open to unauthenticated requests,” Salmon told reporters. “The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that’s your goal then you should require a token with each request to verify that the user is logged in.”
Despite these reports, Venmo has not done much to boost security for its users. While it changed its privacy guide and updated its app to remove a warning when users went to change their privacy settings from public to private, the company has focused more on making the data more difficult to scrape, including imposing limits on its API. But Salmon was still about to scrape 40 transactions per minute, which was about 57,600 scraped transactions each day.
Last year, PayPal — which owns Venmo — settled with the Federal Trade Commission over privacy and security violations after it was accused of misleading users over its privacy settings.
Juliet Niczewicz, a spokesperson for PayPal, did not return a request for comment on this latest report.
In April, PayPal CEO Dan Schulman finally released Venmo user numbers for the first time: 40 million active monthly users, defined as a person whose used the service once in 12 months.
“Venmo continues its significant momentum,” Schulman said at the time. “As user growth continues to accelerate, merchants are increasingly turning to Venmo as a way to attract a valuable and engaged consumer base.”