Secret-sharing app Whisper has failed to keep confidential user data private, exposing hundreds of millions of users’ intimate messages to the public. On Wednesday, security researchers discovered that a database containing over 900 million records of Whisper users since 2012 was left exposed on the internet for anybody to access, putting users’ privacy at great risk.

The Whisper online database is not password-protected and makes all sensitive user data available for download in its entirety. While the exposed records do not include the real names of the users, they include all the information attached to their Whisper profiles, including their age, ethnicity, gender, hometown, and nickname, as well as records of their personal struggles, guilty pleasures, and fetishes.

Following the discovery of the public Whisper database, researchers were concerned that the amount of user data exposed online could be weaponized by individuals who might take advantage of the confidential and sensitive nature of the unearthed information through threats and extortion. After notifying both Whisper and federal law enforcement of the situation, Whisper immediately made the database private.

Launched in 2012, Whisper was marketed as an anonymous secret-sharing mobile app where users could anonymously post their private thoughts and secrets and chat other users with shared interests. The promotional material for the app described Whisper as “the largest online platform where people share real thoughts and feelings… without identities or profiles.”

Today, at least 30 million users actively use Whisper each month, many of them under the age of 18 and share confessions about their sexual encounters. About 1.3 million of all current Whisper users listed themselves as 15 years and below.

“This has very much violated the societal and ethical norms we have around the protection of children online,” said security researcher Dan Ehrlich. In its defense, Whisper said the extra data tied to posts was “a consumer-facing feature of the application which users can choose to share or not share.” Whisper also denied making its database accessible to the public.

It remains unknown how many years exactly the unprotected intimate data had been exposed before the public database was discovered this week.

Whisper A public Whisper database was discovered this week, exposing hundreds of millions of sensitive user data. Facebook/WhisperApp