Whisper, an anonymous secret-sharing mobile app that rose to prominence more than half a decade ago, has been inadvertently exposing sensitive information about its users for years through a public online database, according to The Washington Post .

The popular app, is still used by more than 30 million people a month, some of whom are under the age of 18 and share confessions about teenage problems . According to The Post, which was actively able to query the database in real time before Whisper took it down, a search for users who listed themselves as 15 years of age returned as many as 1.3 million results.

The database did not include real names, as Whisper was designed to protect users’ identities and allow them to share secrets anonymously. But the records left unprotected online included information like age, location, ethnicity, residence, in-app nickname, and membership in any of the app’s groups.

The records didn’t just include current users, either. According to security researchers Matthew Porter and Dan Ehrlich, who run the firm Twelve Security, the database comprised nearly 900 million user records from the app’s release more than eight years to the present day, The Post reports. Porter and Ehrlich said they notified federal law enforcement of the situation, as well as Whisper, prior to contacting The Washington Post. “This has very much violated the societal and ethical norms we have around the protection of children online,” Ehrlich told The Post, adding that MediaLab’s actions here have been “grossly negligent.”

MediaLab is disputing the researchers’ findings, saying the information was meant to be public-facing and provided by the users themselves as a feature of the app. In particular, location sharing was designed to add authenticity to posts in which someone’s location or status, like an active military member, was relevant.