Who Can See What You Do on Venmo? You’d Be Surprised.
Even celebrities, politicians, and business leaders unintentionally leave their data public on the app, a CR investigation found. Here's how to protect yourself.
What do the actor Jon Hamm, musician and filmmaker Ahmir “Questlove” Thompson, football-playing brothers and podcasters Travis and Jason Kelce, former Google CEO and billionaire Eric Schmidt, and conservative commentator Tucker Carlson have in common?
Hint: It’s not that they run in the same social circles.
Like millions of other Americans, they—perhaps unknowingly—have left their accounts public on Venmo, the peer-to-peer payment app. That allows the outside world to look through their “friends” contact lists and payment histories—intimate information that offers a window into their private lives. These revealing details can be exploited by scammers, stalkers, divorcing spouses, spies, journalists—or even by friends just wanting to snoop.
Venmo, the digital wallet acquired by PayPal in 2013, has for years resisted calls from privacy groups and regulators to make its users’ accounts fully private “by default”—meaning set to private, instead of public—when customers first download and sign up for the app. At the same time, Venmo has grown rapidly, from 40 million active users five years ago to more than 90 million now, a 125 percent increase.
What We Learned About Famous People on Venmo
With just a little digging, CR was able to find a surprising amount of information about some very famous people.
Hamm’s more than 200-person public contact list includes fellow actors from some of his movies and the hit TV series, "Mad Men," screenwriters, directors, and, perhaps most curiously, several retired professional hockey and baseball players. Nearly all of them had played for either the St. Louis Blues or the Kansas City Royals. Hamm, who was born and raised in Missouri, is an avowed fan of both teams. For Schmidt—the ex-Google CEO who has dismissed the importance of privacy on tech platforms—we could see, for example, a candid selfie he chose as a profile picture and his open contact list of 263 people. They include fellow billionaire and Uber co-founder Travis Kalanick, CNN political commentator Fareed Zakaria, and Fox business commentator Maria Bartiromo.
Members of Congress, White House aides, Wall Street and Silicon Valley CEOs, and celebrities all have public Venmo profiles, CR found.
While Tucker Carlson’s profile is bare-bones and has no picture, we saw that his contacts include his wife, who does have a profile photo of her and their four children. His contacts also include a number of far-right and controversial political figures like himself: Benny Johnson, James O’Keefe, and Laura Loomer, among others.
Some public figures have even more revealing Venmo profiles, leaving open both contact lists and payment histories. Questlove has a few public payments dating back to 2018 and 2019 and an eclectic contact list, befitting his Grammy- and Academy Award-winning career, including actors, musicians, and producers. Jason Kelce’s account has both open payment descriptions, including recent money transfers for popcorn and beer, and a 732-person contact list. His profile includes a picture of him shirtless while flexing his bicep. Travis Kelce’s profile is comparatively sparse, but both brothers are connected to family members and college teammates at the University of Cincinnati.
CR was able to find all of this despite the repeated, and somewhat embarrassing, disclosures of other public figures’ Venmo accounts over the years, including President Biden’s account in 2019. The president had fewer than 10 Venmo contacts, but one of those was first lady Jill Biden, who, in turn, had an open contact list that allowed BuzzFeed journalists to find Biden’s son, Hunter, grandchildren, and White House staffers. The president’s and first lady’s accounts were quickly deleted.
“If the president of the United States, billionaires, and members of Congress, who have teams to ensure their privacy, can’t get their Venmo privacy settings in the right place, how can we expect regular Americans to do so?” says Gebhart, of the Electronic Frontier Foundation.
Why You Want to Keep Your Venmo Data Private
Because of the open nature of some of the accounts we found, their owners are at increased risk of stalking, fraud, and cyber attacks, privacy experts say.
"Spear phishing” scams usually target specific people using fake, imposter email accounts and rely on information culled from a variety of public sources, such as Venmo and LinkedIn. The goal is to convince fraud victims to disclose even more sensitive data, such as login credentials and credit card details, but it’s also used by foreign actors and criminal organizations to spy and obtain proprietary and confidential info. Americans who use social media at least once every two weeks were substantially more likely to have personally encountered a cyberattack or digital scam attempt than those who don’t use social media, according to a nationally representative CR survey (PDF) of 2,042 U.S. adults published in April 2024.
Venmo, like other digital wallets and banking apps, is also a particular target for financial fraud. In another CR survey published this year (PDF), roughly 1 in 10 peer-to-peer payment app users said they had lost money to a scam that they did not get back. The Better Business Bureau has warned consumers of fake, impersonated Venmo accounts being used to request money from users. Michigan’s attorney general has flagged an increasingly sophisticated Venmo scam involving stolen funds being “accidentally” sent to an account along with a request to “send the money back”—allowing the scammer to access the stolen funds at the expense of the well-meaning Venmo user.
In response to questions from Consumer Reports, Schmidt and the Kelce brothers declined to comment and Carlson, Hamm, and Questlove did not respond to our requests for comment. In several cases, the accounts of those we found were either taken down or locked after we brought their accessibility to the public to their attention.
In a statement to Consumer Reports, PayPal’s senior vice president and general manager of its consumer division, John Anderson, said that privacy and security, including fraud prevention efforts at Venmo, have long been one of the app’s “top priorities” and that they are “constantly listening to our users to strengthen and evolve the platform while staying true to the social aspects they’ve come to know and love.”
How to Make Your Venmo Settings Private
‘A Patch on a Gaping Wound’
When Venmo was started in 2009, it was envisioned as a music app that allowed concertgoers to buy recordings of live shows directly through a text message. By the time Venmo was acquired by PayPal in 2013, it had evolved into a digital wallet that allowed its mostly under 40-year-old customer base to quickly send money to each other. “Just Venmo me” quickly became a common refrain at restaurants, bars, and shows across the country when friends needed to pay back other friends for footing the bill.
When you sign up for Venmo, your Facebook friends and phone contacts can be automatically imported as your Venmo contacts, all by cross-referencing your contacts’ phone numbers with their corresponding Venmo accounts, if they exist. It happens in just a few seconds.
The app also made it pretty difficult to turn on the private privacy setting for required payment descriptions—short text memos, emojis, or a combination of both. Today, payment details are still set to “public” when you sign up for Venmo. Few users read through the fine print to select “friends-only” or “private” privacy settings.
Until several years ago, there was also a “global” social feed where, upon logging in, you could see who was paying whom, even if you didn’t know them. At one point, Venmo even allowed tech-savvy users to access and download all of Venmo’s data via a public application programming interface, or API.
To this day, many unsuspecting users publicly post who they’ve sent or received money to and from, the date of those transfers, and payment descriptions. Payment details are also shared, by default, to any “Venmo Group” you’re subscribed to, a relatively new feature used to divvy up big group expenses like a dinner bill or travel costs. In some cases, those descriptions include a veritable font of personal information—doctors’ appointments, bank details, intimate notes, and a seemingly endless number of tongue-in-cheek emojis. (You can tell when payments are public by the “world” icon next to the transaction date.)
For more than a decade, Venmo has defended its default privacy settings, arguing that it’s a way for the platform to be fun and engaging like a social network, such as Facebook or Instagram. Analysts who follow the company also note how PayPal, Venmo’s parent company, has long-held ambitions to monetize its users’ info as aggregated transaction data for businesses looking to sell to younger consumers. In 2015, Venmo’s then-CEO called its users‘ social data the app’s “secret sauce.”
Regulators and privacy advocates have called Venmo’s privacy settings, at best, confusing and mostly lost on those who signed up for the app years ago and have forgotten about what privacy settings they have.
In 2018, the Federal Trade Commission filed a complaint against Venmo, alleging that it had intentionally misled consumers by making it purposefully difficult to lock down their payment details. In its settlement with the company, the FTC required Venmo to make its privacy settings “difficult to miss” and “easily understandable to ordinary consumers.
“This is such clearly sensitive information, and it’s clear a lot of people would be really uncomfortable with having this information out there.”
Electronic Frontier Foundation
Since then, Venmo has slowly made some changes to its app, including clearer privacy disclosures. And it removed its social feed of all users’ payment histories in July 2021, shortly after BuzzFeed journalists reported finding President Biden’s Venmo account in less than 10 minutes using nothing more than the app’s search function. Social feeds are now limited to your personal networks.
In the past, Venmo’s public profiles have been used in a number of ways that underscore the real-world issues of a digital wallet that doubles as a social network.
In 2019, a viewer of “The Bachelor” uncovered the winner of the ABC reality show, months before it was revealed publicly, by reportedly scrolling through Venmo payments and spotting connections between the bachelor’s contacts and that season’s winner. In 2023, The Guardian reported that a former top aide to Supreme Court Justice Clarence Thomas was paid several times by lawyers who had business before the court, including one who successfully argued to end race-based affirmative action at U.S. universities. (The payments appeared to have been connected to the justice’s 2019 Christmas party, according to The Guardian.) This year, Wired found Republican vice presidential nominee JD Vance’s public Venmo account, with more than 200 contacts ranging from tech executives and media personalities, like Carlson, to Jeff Flake, the anti-Trump former U.S. senator, and a host of government lobbyists.
Law enforcement agencies have also turned to Venmo as a rich source of investigative material, using the app to aid probes into the drug overdose death of the late rapper Mac Miller and alleged underage sex trafficking and prostitution involving U.S. Rep. Matt Gaetz (R-Fla.).
Privacy experts have sounded the alarm about Venmo for nearly as long as the app has been around. In 2018, a developer and designer in Berlin analyzed a year’s worth of public Venmo payments—nearly 208 million transactions representing about 8 million Venmo users. Aside from documenting the mostly mundane daily lives of those with public payment histories, the report found some interesting trends: The most common note attached to payments included the word “pizza” or the pizza emoji nearly 3 million times. The developer was also able to plot out users’ rent payments, who their roommates were and with whom they shared taxi and Uber rides, their group work and personal trips, and, in the example of one individual, scores of drug deals they were involved with—personal details that are far too revealing, experts say.
In 2022, a team of researchers from the University of Southern California and the University of Texas analyzed 389 million public Venmo payment messages over an eight-year period. Their peer-reviewed paper, “I know what you did on Venmo," detailed how Venmo users had unintentionally revealed their most personal information in payment descriptions: bank account passwords, membership in biker gangs and criminal organizations, details of Alcoholics Anonymous groups, and sensitive health information, among others.
“Since the report came out, I’ve taken a more active role with my friends on Venmo,” said Jelena Mirkovic, an associate research professor and project leader at the USC Information Sciences Institute and a co-author of the Venmo report. “I recently paid for window washing and I said to [the contractor], ‘Hey, do you know that your profile is public.’ The person didn’t know and they were like, ‘Oh, thank you, I’m going to make it private.’ And I keep saying it to everyone I know.”
Mirkovic and her team asked Venmo whether the company would share its data with researchers. Mirkovic said Venmo didn’t respond—but the company did end up paying the USC and Texas researchers $1,899 as part of its “bug bounty” program because they spotted software bugs in the app when doing their study.
Mirkovic said the few changes Venmo has made to its privacy policies over the years still fall far short. “It’s a patch on a gaping wound,” she said.
The researchers found one encouraging trend: An increasing number of Venmo users were opting to make their payment settings private, up from 25 percent of users in 2013 to 37 percent in 2018. Venmo hasn’t released such figures, so it’s unclear whether that trend has continued as the app’s user base has grown. But a 2018 poll by the Mozilla Foundation and Ipsos found that 77 percent of Americans opposed public-by-default settings on financial apps.
Venmo’s New Plans for Making Money Raise New Concerns for Consumers
Even though Venmo has wide brand recognition and a sizable share of the market for Millennial and Generation Z consumers, the app has never been a huge profit generator for PayPal. Venmo makes up less than 20 percent of PayPal’s total operating revenues, analysts have found. (PayPal doesn’t publicly report Venmo’s revenues.)
Venmo’s current business model looks like this: For the vast majority of those who use Venmo, the app is free, with Venmo absorbing any related processing costs for money transfers. For payments made to one of 3 million participating businesses, Venmo charges the merchant a 2.99 percent transaction fee. If a Venmo user opts to pay certain big brands on checkout with Venmo funds, such as Starbucks, McDonald’s, DoorDash, and DraftKings, they can do so directly in the app, with the seller being charged a 3.49 percent fee, plus an additional 49 cents, per transaction. Venmo also gets a 1.75 percent fee for customers who want to withdraw money instantly instead of waiting a few days and interchange fees from merchants when their customers use Venmo debit and credit cards. All of those fees generate modest revenues, analysts say.
PayPal’s new CEO, Alex Chriss, has also been looking for other ways to generate revenue, marketing Venmo as part of a new kind of bundled banking product. New Venmo features include a free, early paycheck direct deposit program; Venmo accounts for teenagers, with parental supervision; and the ability to buy cryptocurrencies using Venmo. The goal, Venmo says, is to bring in new customers into the app “so they can transact with Venmo in more ways.”
But Venmo’s true profit potential, analysts say, lies in its long-running plan to monetize its users’ social feeds by sharing transaction data to businesses looking for younger customers.
“The most effective form of advertising is word of mouth. But it takes time—years—to build that enrolled base of known users. Just look at Facebook,” says Richard Crone, a mobile banking expert who runs Crone Consulting in Silicon Valley. “So if you can get a net new sale solely through someone’s social feed, merchants will happily extend discounts and build on that.”
In January, Venmo launched enhanced “business profiles” as a program for 3,500 companies in Seattle. The program allowed participating businesses to target discounts and promotions to Venmo users. That allows those users to share details of those payments publicly and, in turn, promote them in their social feeds. Venmo also tracks users’ geolocation data, which can be used to advertise to those that are close by.
Venmo doesn’t sell individual user data to merchants but aggregates its users’ transaction data and then shares it for “targeted” marketing. Last week, PayPal also announced the launch of its own digital advertising sales arm that uses aggregate customer data from more than 400 million active users of PayPal, Venmo, and Honey, the shopping and rewards website browser extension it acquired in 2020 for $4 billion.
However, Venmo’s plans to make money from its users’ data may soon face new regulatory challenges. The Consumer Financial Protection Bureau’s soon-to-be-finalized Financial Data rule could potentially limit how companies like Venmo use and share consumer information and make it easier for consumers to opt out of their data being sold for marketing purposes. That would, in turn, make it difficult for Venmo to monetize the social parts of the app. The CFPB is expected to finalize the rule in the coming months.
A Note on Methodology: How We Confirmed Venmo Profiles of the Rich and Famous
Consumer Reports analyzed the public payment descriptions and contact lists of more than 150 Venmo users, both prominent public figures and private citizens, to gauge its public accessibility. Venmo no longer has an open API for its user data and employs fraud-prevention techniques to limit the activity of suspicious users. So we relied on dozens of active and authentic accounts to perform our searches.
To authenticate accounts, we looked for professional linkages and more personal familial and friend relationships across Venmo’s social network. In some cases, we created sociograms—visual representations of the relationships among a group of people—to analyze the data. We then took our findings, including screenshots of profiles and crude analyses of their contact lists, back to those public figures, for any additional comment, and for confirmation that the accounts were, in fact, theirs.
Both Venmo payment histories and contact lists are limited in several key ways, including individual users’ use of privacy settings, the automated or manual addition or removal of individual contacts, and the partial and incomplete nature of contact lists, with synced Facebook and phone contacts oftentimes reflecting a single point in time, sometimes years in the past.
Editor’s Note: Our work on privacy, security, AI, and financial technology issues is made possible by the vision and support of the Ford Foundation, Omidyar Network, Craig Newmark Philanthropies, and the Alfred P. Sloan Foundation.
