Venmo data breach: what you need to know about Venmo security issues

Venmo is a useful app for sending money to friends and family for everyday expenses. At least 75% of Americans trust digital payment apps as much as cash or credit cards. This means that digital payment apps like Venmo or CashApp also attract more attention from cybercriminals. 

While a Venmo data breach hasn’t happened due to a direct system hack, several incidents have exposed millions of users. Our article will break down what happened, what data may be compromised, and what you should know about Venmo’s security issues. We’ll also help you learn how to protect your privacy moving forward. 

Has Venmo been hacked? A history of breaches and scraping incidents

While cybercriminals may not be targeting the app directly, a Venmo data leak reveals how the app’s weak protections put users at risk even without a direct breach. Since 2017, three separate events compromised user security, raising concerns about Venmo transactions. 

2017-2018 Venmo scraping: 207 million transactions downloaded

Venmo is a payment app designed to make sending and receiving money an enjoyable, and largely social experience. It uses a public API that makes user transactions publicly available by default. In 2017-2018, a Venmo breach occurred, when a former Mozilla employee, Hang Do Thi Duc, discovered the app could potentially leave users vulnerable. 

Using the app’s public API, she scraped over 207 million transactions, all of which provide detailed personal information. At that time, Venmo provided users with a constant stream of user transactions. Through a public URL, Hang Do Thi Duc explored the lives of several unsuspecting Venmo users. 

During her research, she shared her findings online, revealing the app’s flaws allowed her to scrape user data, including: 

• User first and last names
• Facebook profile IDs
• Transaction details, including purchased products, services, the approximate location, and the most popular reason users sent and received money
• Private messages
• The nature of personal relationships

Many users believed their activity was private, but Venmo made the payment information accessible to anyone, from anywhere. 

2019 data scraping escalates: 7 million transactions published on GitHub

A security issue like this means that anyone could steal your private information during a Venmo data leak with minimal effort. After noticing this flaw, another researcher, Dan Salmon, wrote a script that exploited the same vulnerability, just a year later. Even with a rate limit in place, Salmon scraped 115,000 transactions per day, collecting a substantial database of 7 million Venmo transactions. 

What Dan Salmon did was legal, further revealing that anyone could acquire this user data if they knew how. If a cybercriminal exploited this vulnerability in another Venmo breach, they could gain access to usernames and smartphone IP addresses. Dan shared his experiment on GitHub, showing that Venmo had made very few changes to address the privacy issue. 

Instead of fixing the Venmo security issues directly, developers opted to update the app’s privacy settings.  

2024 “Mother of All Breaches”: Venmo data found among 26B leaked records

Dan Gorelick also warned about the potential for a Venmo data breach in 2016, meaning that cybercriminals exploited the app’s weaknesses for nearly a decade. If that’s the case, then the 2024 “Mother of All Breaches” (MOAB) shouldn’t be a surprise. In early 2024, cybersecurity researchers uncovered a staggering collection of 26B data records from thousands of organizations. 

High-profile incidents involving scraped or hacked LinkedIn data, the Hautelook breach, and the Zeeroq.com data breach are just a few that contributed to the 26 billion records exposed in the massive MOAB data leak. It’s unclear how the breach occurred, but naming Venmo in such a historic security breach prompts concern. 

Types of data exposed in Venmo security breaches

Venmo hasn’t released any statements about what data bad actors may have stolen in the 2024 MOAB breach. This lack of transparency is unexpected considering the depth of the leak and makes it difficult to determine the full impact on Venmo users. If usernames, email addresses, or passwords were compromised, it increases the potential for credential stuffing attacks, allowing bad actors to use the stolen login information to access multiple accounts beyond Venmo.

Past breaches due to Venmo’s public-by-default design have exposed: 

• Transaction messages and payment descriptions
• Potentially illicit activities such as drug deals
• Personal relationships through friends lists and linked profiles
• User payment histories

Even if we can’t link this information to a Venmo account, threat actors can still build complete digital profiles about you and exploit it for future cyberattacks. 

How Venmo responded to privacy concerns and data exposure

The company hasn’t admitted to any recent security breaches, but the evidence of a Venmo data breach is there. Here’s how the company responded to the public data leaks:

• FTC Settlement in 2018 – The company settled a case where the FTC fined them for “misleading claims of using ‘bank-grade security’ to protect users and for violating the Gramm-Leach-Bliley Act’s Safeguard and Privacy Rules. The case also claims that Venmo didn’t notify users that each transaction is subject to review and funds could be held or frozen.
  
• Removing the global feed – After the FTC settlement, Venmo redesigned the app to improve user privacy. The FTC believed Venmo didn’t properly explain that all transactions were public. The developers removed the global feed and added privacy controls for friends-lists. 
• Limited response to the MOAB – After reports of the MOAB leak, many expected Venmo to make a statement. Currently, the company hasn’t made a public statement acknowledging the breach, what accounts were affected, and what data was stolen. 

Venmo’s silence on the issue has led many users to expect legal action. But the deeper unease comes from the long-term risks of future online privacy and security issues. 

Why Venmo data leak and scraping incidents are dangerous

The data exposed by scraping or MOAB leaks exposes users to potential cyberattacks and account takeovers. Threat actors can weaponize the information tied to Venmo accounts through: 

• Blackmail or extortion scams – Venmo was designed to be a social media app, which commonly led users to overshare. Some users discussed their addiction recovery or romantic partners in payment messages, allowing criminals to shame or extort them. 
  
• Account takeovers using reused credentials – If someone reuses their username and password, bad actors can launch credential stuffing attacks to gain access to financial accounts or launch PayPal scams. 
  
• Social engineering attacks and spearphishing – Using information shared in payment messages, hackers can create convincing phishing messages. They can trick users with messages like, ‘Half of rent for Sarah’ or mimic a family request for ‘money for groceries.’ 
  
• Tracking social habits – Threat actors can use public Venmo data to map out your online activities for Instagram scams and erode your privacy by revealing group affiliations or sensitive medical issues. 

Addressing these privacy concerns effectively involves learning how criminals use your data in ways you may not anticipate. 

Can Venmo be hacked? Ongoing security issues

The next question you may ask is: Can Venmo be hacked? Generally, no system is safe from a security breach, but ongoing Venmo security issues do raise concerns. The app left users exposed to security risks through vulnerabilities that don’t always require sophisticated hacking methods to bypass. 

Venmo’s vulnerabilities are: 

• Public-by-default transaction settings – The app’s social element added a social layer to the payment app, making it easier for bad actors to track user spending habits and daily routines. 
  
• Weak API limiting rate – Many researchers exposed Venmo’s public API, showing that anyone can scrape millions of transactions without raising any alarms.
  
• No 2FA for payment approvals – Venmo does have two-factor authentication settings for profiles, but doesn’t require it when approving payments. This means that threat actors can send or receive payments without additional verification.  

Venmo’s casual approach to sharing and visibility is an odd choice for a financial app, and could compromise your information in a future Venmo data leak. 

What to do if you suspect your data was exposed in a Venmo breach

The MOAB data leak included approximately 12 TBs of data from individuals, governments, and businesses worldwide. While Venmo hasn’t publicly acknowledged this massive breach, there are signs that could indicate your data was exposed. 

Red flags that indicate you may be compromised

• Unexpected payment requests from friends and family
• Requests for transactions you didn’t initiate 
• Multiple login attempts or password reset emails
• Phishing emails with urgent or pressuring language
• Multiple “test” charges on your account that are unrelated to your activities

Immediate steps to take after a Venmo breach

If you notice any red flags indicating a potential Venmo security breach, you need to act quickly. A breach doesn’t mean all your accounts are compromised; it means you should: 

Check if your info is on the dark web

Checking to see if your online credentials are compromised is straightforward with tools like HaveIBeenPwned or Cybernews Data Leak Checker. Users suspecting Venmo data breach can search these sites to see if their email address or phone number was leaked. 

Change your password and use 2FA

If you believe your data has been leaked, it’s best to change your Venmo account password. Use strong, unique passwords and never reuse old credentials. Users should also enable 2FA settings to enhance their account’s security.

Check your accounts for unusual activity

A Venmo security breach could expose sensitive information about your bank accounts, credit cards, or help criminals access your credit file. Users should closely monitor these accounts by reviewing monthly statements and online transactions. Don’t ignore small transactions as they could mean that a hacker is “testing” your account before making a large transfer.

Change your Venmo privacy settings

Even if you don’t use Venmo often, it’s wise to change your Venmo payment settings to private. Here’s the process:

• Sign in to your account, and find the Me tab.
• Tap the Settings icon at the top right of the screen. 
• Tap Privacy and choose Public, Friends, or Private.  

Report the incident

If you were affected by a breach, report it to Venmo support and file a police report. Notify your bank about your concerns so they can freeze your account or issue a new card. 

How to protect your Venmo account and personal data moving forward

Developers can improve Venmo’s security issues, but it’s your responsibility to protect yourself moving forward. Proactively safeguarding your data means you should: 

Beware phishing attacks and Venmo scams

Threat actors are constantly improving phishing attacks and devising new Venmo scams to trick their victims. You can protect yourself by never clicking suspicious links or sharing your credentials. 

Reduce your digital footprint

If you plan to use payment apps, avoid oversharing your personal or financial details. The more information you share, the larger your digital footprint will be, and the more data bad actors have to target you. If you must add a message, include only enough information to identify the transaction (e.g. Dinner or Rent). 

How Onerep helps reduce your online exposure

Maintaining your Venmo privacy is just one aspect of reducing your online exposure; there may be security gaps you haven’t considered. Your data could be circulating through hundreds of people search sites and data brokers. These sites are a persistent risk for identity theft and other forms of fraud.  

Onerep helps you take control of your digital footprint by: 

• Removing your data from 200+ data broker and people-search sites. 
• Reducing online risks by eliminating high-risk points that scammers use against you.
• Continuously monitoring and deleting new data profiles that resurface over time. 

You can start with a free privacy scan and take the first step toward maintaining stronger personal privacy and cybersecurity practices. 

FAQs

Has Venmo had any data breaches?

Venmo hasn’t confirmed a direct system breach, but several data scraping incidents and the company’s inclusion in the MOAB leak have exposed users to future cyberattacks. 

Was Venmo hacked today?

There are no new confirmed Venmo hacking incidents. You can check Venmo’s official website, as well as Cybernews or SecurityWeek for updates. 

Can someone get your bank account info from Venmo?

Venmo doesn’t reveal your bank account details to other users. However, threat actors can access your account through data scraping or social engineering attacks.

Can people find your info through Venmo? 

Yes, especially if you’re still using public settings. Friends can see your transactions, contacts, and attached messages. Change your settings to “Private” to hide your account’s transaction details. 

How safe is Venmo?

Venmo is as safe as other payment apps when used responsibly. Set your transactions to private, enable 2FA, and stay up-to-date on common Venmo scams.