If you've used Venmo in the past year, there's a good chance Hang Do Thi Duc knows more about you than you might like.
Do Thi Duc, a 27-year-old coder and privacy researcher in Berlin, gleaned a surprising amount of info from the nearly 208 million public transactions made on Venmo last year. She could do this because, according to research she released Tuesday, more than 18 million Venmo users never changed the platform's default settings, which make all of their transactions public.
She has, for example, followed the lives of a Southern California couple paying off a loan while regularly ordering pizza and taking their dog to the vet. She's on to the guy in Santa Barbara, California, who makes a living selling marijuana treats with names like "Gorilla cookies." And she's watched a romantic relationship develop between two Texans who flirted in the comments section of a payment. (She can't, however, say how things turned out, because the couple eventually took their conversation elsewhere.)
"There are some people who are intentionally public, but there are a lot of people who are not aware of this public by default setting," Do Thi Duc said. "Whether you're sharing this data consciously or unconsciously, you should think about who can access it and what things they could do [with it]."
Venmo is a handy app that makes it easy to make payments and request money electronically. The app, which launched in 2009, is especially popular with millennials, who use it to pay rent, split dinner, or chip in for groceries. Uber also added it as a payment option last week.
Venmo doesn't disclose its total number of users, but Verto Analytics estimates that the platform, owned by PayPal (PYPL), has 10 million monthly active users. But users who think only friends can see their transactions are mistaken, said Do Thi Duc.
She began using Venmo frequently as a student in New York City. At first, she had no idea all of her transactions were public, and figured she probably wasn't alone in that. So she set out to determine just how easily accessible all that information is, and what she might learn from it.
Venmo declined to say why it makes full public disclosure the default setting, but a company spokesperson told CNNMoney that "the safety and privacy of Venmo users and their information is one of our highest priorities."
"Our users trust us with their money and personal information, and we take this responsibility and applicable privacy laws very seriously. Like on other social networks, Venmo users can choose what they want to share on the Venmo public feed," the spokesperson said.
Related: Having more control over your data doesn't mean it's safe
The research turned up some interesting details about the payments platform. Nearly 3 million transactions involved pizza (or the pizza emoji), and the first weekend in December was the platform's busiest period last year.
Of greater interest, or concern, might be that Do Thi Duc read several intimate conversations between users in the comments section, and identified more than 1 million unique last names. She also learned a lot about people's eating habits, like the woman with several friends in Mexico City who racked up 2,033 transactions for sodas, pizza, coffee, booze, and donuts in eight months.
But Do Thi Duc's work suggests that Venmo's default setting leaves users vulnerable to potentially embarrassing revelations or even dangerous situations like stalking.
While some people may not care that their transactions are public, a timeline of user behavior and payments could leave their data exposed to marketers and advertisers. Such information can reveal when and where people are spending money — and with whom. And that info also could be used to target ads or track consumers.
"The way people behave online is extremely valuable to companies," said Tami Kim, assistant professor of marketing at the University of Virginia's Darden School of Business. "It could be incredibly valuable to have a sense of how people exchange resources like money, and what kind of purchase behaviors they engage in."
Law enforcement could also use payment information to investigate illegal activity like drug dealing. Although it's unlikely the police would act solely on Venmo data, it could be an important source of information.
"You're basically having people testify against themselves in transaction comments about illicit activity," said Mike Chapple, who teaches business analytics and cybersecurity courses at the University of Notre Dame's Mendoza College of Business.
Related: California passes strictest online privacy law in the country
An immediate solution is to change your default options.
Go to Settings and then Privacy. From there, you can choose to share your transactions with the public, only friends or just the person with whom you're exchanging money. (You can change the status of previous transactions retroactively, too.)
Experts say many people presume their default settings are private until they opt to share something. But "Venmo underscores those assumptions aren't valid," Chapple said. "We need to make sure we [know] what permission we're sharing."
In the absence of comprehensive privacy regulations in the United States, experts say consumers must understand their privacy settings and know what they're sharing publicly.
"Unfortunately, it does rest on the backs of consumers," Chapple said. "In the US we don't have a legal framework for privacy. We have a patchwork of privacy laws."
But companies should make a bigger effort too, according to Kim, the University of Virginia professor.
"Consumers often times are unaware of all the specific ways their privacy can be intruded upon. It [should] be the responsibility of the company to communicate everything upfront and be transparent," she said.
Until then, pay attention to your settings — unless you're comfortable with everyone knowing you shared 280 Cokes with 37 people last year.