I just signed up for a new Venmo account. I did this on my desktop through the web interface rather than on my phone, so none of my phone data is available to it. I do not have a Facebook account, so did not link to one. I do not use Contacts features in email apps, etc., instead managing my contacts manually using files that my web browser does not know how to find. I have not yet linked to any friends, so it can't look up friends-of-friends.
So when Venmo presented me a list of suggested friends and told me "This list is based on your network," I was baffled where it drew this list from. About half the people on this list are people I interact with regularly or semi-regularly. Others are people I have little interaction with or have not spoken to in years, and two are names I don't recognize at all.
Where is Venmo getting this list from?
Best Answer
I don't know for sure what mechanisms Venmo uses specifically, and I suspect that anyone who does is under non-disclosure, but it is common practice for "social" apps to use a number of signals to make correlations to construct your potential social graphs. See, for example, this very recent article on Facebook's "People You May Know": How Facebook Outs Sex Workers
Even though you did not give access to your Contacts, it's possible that (as many apps do) others close to you in your social circles have given access to Venmo / PayPal / eBay for their contacts, and that may be what populates (part of) Venmo's social graph. Using the same email or phone number for Venmo that you use for other social apps or services could also potentially be compromising you. Venmo has a rather extensive description in their Privacy Policy "THE INFORMATION WE COLLECT" section on Social Web and other information they collect: Venmo Privacy Policy
Location is also a strong signal, and it can come from Location access given to apps (which extends to 3rd-party code running in those apps that can then share or aggregate behind the scenes), or simply coming into proximity of one or more of the same WiFi access points.
If a good correlation can be made to some of your close contacts through some of the available signals, then it's an easy leap to mine their Facebook and other public profiles and graphs to suggest friends of friends (you are likely to know many of these people).
Also in THE INFORMATION WE COLLECT: "Finally, we may collect additional information from or about you in other ways not specifically described here." which means pretty much anything goes. For example, it could include information from data brokers who have aggregated a broad array of data about you and your associations over time.