>DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!
>Tea App uploads all user verification submissions to this public firebase storage bucket with the prefix "attachments/": [link, now offline]
>Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It's a public bucket. I have written a Python script which scrapes the bucket and downloads all the images, page by page, so you can see if you're in it: [pastebin link]
>The censoring in picrel was added by me. The images in the bucket are raw and uncensored. Nice "anonymous" app. This is what happens when you entrust your personal information to a bunch of vibe-coding DEI hires.
>I won't be replying to this or making any more threads about it. I did my part, God bless you all. Regards, anon
Being so careless with people's personal data should be a major crime, tbh. If I manipulated thousands of people to let me scan their passports and various other bits of personal info, then just left the copies around the city for people to find, I'd be prosecuted, and rightfully so.
Isn't this basically Peeple except gender locked to women? Peeple failed because they couldn't eliminate bias and gossip against anyone. If someone was jealous of another, for example, that person could just write false slander and claim it was real with no evidence. That would have affected the victim for jobs, dates, etc. So it was laughed at by VCs and everyone online and it shut down.
How is Tea even legal? Isn't this just a legal libel timebomb waiting to happen?
We need to stop allowing companies that are not directly engaged in financial services to request government IDs.
Facebook shouldn't legally be allowed to demand an ID any more than this disaster of an "app."
Now tens of thousands of people will be subject to identity theft because someone thought this was a neat growth hacking pattern for their ethically dubious idea of a social networking site.
> The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie.
What exactly does this mean? Which information is exchanged without consent of these people? This seems to me more problematic than the actual topic of the data breach.
Maybe this is a good time to think about what policy could help discourage these horrific practices (it sounds like their storage was unprotected)
* App Store review requires a lightweight security audit / checklist on the backend protections.
* App Store CTF Kill Switch. Publisher has to share a private CTF token with Apple with a public name (e.g. /etc/apple-ctf-token ). The app store can automatically kill the app if the token is ever breached.
* Publisher is required to include their own sensitive records ( access to a high-value bank account) within their backend . Apple audits that these secrets are in the same storage as the consumer records.
We need a more nuanced headline here. They did nothing responsible. 404 should title this story with something that will blame them first and the 'hackers' 2nd.
Outsourcing job was it? Modern programmers are literally terrible at all basic stuff (who stores ID images in the db and then in the clear, do you have many other mental issues or what?) (I see startups like Resend making the same mistakes and still people use them, so there isn't much punishment even from people with half a brain) and AI is going to make it all so much worse. And a public bucket. I think it should be criminally liable to be that sloppy.
I'm a firm believer that if you want to start a tech company, at least one of the founders has to have a technical background. Even if you outsource all the work, you need to be able to ask the right questions related to security.
It's not just that this database was accessible via the internet. It was all public data. Storing people's IDs in a public database is just... wow.
Sad that a common response to "we might not want this app to exist" is "well, if you weren't cheating, you wouldn't have a problem with it".
Why do people want to live in a panopticon of their own creation, with random anonymous strangers morally policing, judging each other with zero consequence to them?
Don't think we'll ever learn our lesson when it comes to privacy, it will be Eternal September forever.
It's almost poetic that this happens on the same day UK demands website to collect personal identification. I'm looking forward to the shitshow in the upcoming months.
Is there a way, to verify if potential partner uses this app? Or if they are in "are we dating the same guy" type of group?
I take doxing, stalking, revenge porn and cyber bullying very seriously! And I would pay good money for a background check, to stay away from such people.
A flash in the pan gossip app that when it functions normally is not worried about anyone's privacy / accuracy ... also doesn't care about good policies or their user's privacy.
In 2008 when the GFC every company we worked IT for on contract fired their IT staff first. Two weeks later, we had bonanza period right through into the next year. They realised the hard way that those lowly cheap IT staff were quietly keeping them afloat. We charged a lot to fix their problems they created because their CEO thought IT was a waste of money.
This will prove security in IT coding is necessary, so enjoy watching the drama unfold.
On X, one of the leaked pictures seemed to be a DoD ID card, and I wondered why Tea needed proof of someone's identity. Then I remembered Uber and Lime both want your drivers license. Facebook and Instagram supposedly request it too if your account gets locked. This is not a new normal I like.
for someone who thought Tea was a good idea, what would be the objection be if this leaked contributor data were used to populate a similar app to warn men off?
I’d like to start seeing legal jeopardy for companies that are careless with customer information. Make developers scared to retain anything they don’t absolutely need.
if im understanding correctly this was a public bucket? aside from the obvious leaking of data couldnt this also be subject to a DoW (denial of wallet) attack where a user could auto download all the images constantly on a VPS and cause a massive bill?
it should have never been allowed to be published anyway. not trying to justify what is happening, but these kind of apps are historically abused and create more problems than they intentionally try to solve.
"An app was created to help women stay safe on dates and avoid creeps, proceeds to be hacked by creeps"
Not a great look here.
However, Tea could have done a modicum of cybersecurity work (or hired an outside firm) to prevent this. If they are claiming to want to keep women safe (and not just running a gossip board) then this should be a red alert for them.
No public acknowledgement is concerning...
- The fact that this app exists solidifies the data that a small group of men/women do most of the dating on tinder etc while the vast majority land dates far less if none at all.
- This creates distorted market supply and demand where those small group of men/women become sought after and its only human nature in that they value their supply less than the rest.
- Toxic behavior is expected from that small group of highly attractive people that do all the dating.
- It was only a matter of time before such app would run into legal issues or attract angry individuals. Now the damage to the leaked identities will be prolonged. With the AI tech today, the extent to which a damage can be done is unknown (ex. deepfake, impersonations, further doxxing).
- Tea user's driver licenses as well as selfies, usernames, emails, posts about their dates will drastically increase the surface area for lawsuits, fraud and exploitation by malicious agents.
- The users of this site and those that have directly posted images, details have opened themselves up to significant legal and criminal liability. Given these apps were probably popular in large city centers like California, NY have heavy punishment for digital harassment and privacy violations on top of the damages that can be claimed against them by the men who's information and details were posted.
- Tea is largely insulated from what the users post which means that their biggest exposure might be just neglect and failure to secure data which comes with a slap on the wrist.
Which will make it harder for Tea's userbase to claim large damages against it.
I read more details about this case and its beyond egregious. Unencrypted firebase and full public buckets. There is no hacking involved, the tokens were being used to pull data from roughly all 30,000 users of Tea and were only blocked short while ago.
Allegedly, 60GB of photos, user personal information, driver license, gps data being shared on torrent. A map of all 30,000 users tied to GPS data is being posted as well.
Given the extreme neglect to secure their data, I now believe Tea will be open to even bigger legal liability possibly criminal even.
This is such excruciating incompetence by the app developers I'm wondering if it was intentional. Done to punish the women who dared to speak up about vile men.
I just hope they can pursue legal action for this, whether it was a deliberate trap or not.
The trend has been for all things related to sex, dating and relationships to be aggressively male hostile. But I think it's certainly peaked. Off topic, any notice how anti -male bumble is? Trash app.
Not to get all conspiratorial, but if I was an incel, or other type of woman-hating-man, with an axe to grind, creating an app to "protect" women and their dirty secrets, then having their data "breached" would be a pretty diabolical revenge plan. Only women can join the app, but the only person running the app is a man? Nothing suspicious about that...
- The fact that this app exists solidifies the data that a small group of men/women do most of the dating on tinder etc while the vast majority land dates far less if none at all.
- This creates distorted market supply and demand where those small group of men/women become sought after and its only human nature in that they value their supply less than the rest.
- Toxic behavior is expected from that small group of highly attractive people that do all the dating.
- It was only a matter of time before such app would run into legal issues or attract angry individuals. Now the damage to the leaked identities will be prolonged. With the AI tech today, the extent to which a damage can be doned with the information from the leaks is unknown.
- As for the company behind Tea, they are done. They face a monumental class action lawsuit as well as ongoing individual civil/criminal cases that will arise from the leaked identities, in particular the photo of driver licenses as well as selfies, usernames, emails drastically increase the surface area for damages.
- The users of this site and those that have directly posted images, details have opened themselves up to significant liability from not only the men they have targeted but from law enforcement.
- We'll see some new laws being formed from this case. Once again, we see the hidden dangers of blindly trusting large popular platforms with sensitive data but the twist with Tea here is the defamation activity that opens up its users to both civil and criminal liability.
Women dating safety app 'Tea' breached, users' IDs posted to 4chan
(404media.co)478 points by gloxkiqcza 21 hours ago | 613 comments
Comments
Freewalled
>DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!
>Tea App uploads all user verification submissions to this public firebase storage bucket with the prefix "attachments/": [link, now offline]
>Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It's a public bucket. I have written a Python script which scrapes the bucket and downloads all the images, page by page, so you can see if you're in it: [pastebin link]
>The censoring in picrel was added by me. The images in the bucket are raw and uncensored. Nice "anonymous" app. This is what happens when you entrust your personal information to a bunch of vibe-coding DEI hires.
>I won't be replying to this or making any more threads about it. I did my part, God bless you all. Regards, anon
Being so careless with people's personal data should be a major crime, tbh. If I manipulated thousands of people to let me scan their passports and various other bits of personal info, then just left the copies around the city for people to find, I'd be prosecuted, and rightfully so.
How is Tea even legal? Isn't this just a legal libel timebomb waiting to happen?
Facebook shouldn't legally be allowed to demand an ID any more than this disaster of an "app."
Now tens of thousands of people will be subject to identity theft because someone thought this was a neat growth hacking pattern for their ethically dubious idea of a social networking site.
> The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie.
What exactly does this mean? Which information is exchanged without consent of these people? This seems to me more problematic than the actual topic of the data breach.
* App Store review requires a lightweight security audit / checklist on the backend protections.
* App Store CTF Kill Switch. Publisher has to share a private CTF token with Apple with a public name (e.g. /etc/apple-ctf-token ). The app store can automatically kill the app if the token is ever breached.
* Publisher is required to include their own sensitive records ( access to a high-value bank account) within their backend . Apple audits that these secrets are in the same storage as the consumer records.
1st sentence: "exposed database"
We need a more nuanced headline here. They did nothing responsible. 404 should title this story with something that will blame them first and the 'hackers' 2nd.
Drivers licenses can be faked. Moreover, someone can just pretend to be someone else on this app with real drivers licenses.
The whole premise, implementation and process of Tea as a social media app is flawed, and a legal liability for the devs.
It's not just that this database was accessible via the internet. It was all public data. Storing people's IDs in a public database is just... wow.
Why do people want to live in a panopticon of their own creation, with random anonymous strangers morally policing, judging each other with zero consequence to them?
Don't think we'll ever learn our lesson when it comes to privacy, it will be Eternal September forever.
Women are anonymously spilling tea about men in their cities on viral app - https://news.ycombinator.com/item?id=44682914 - July 2025 (17 comments)
Apple had no issue mass censoring Parlor and others, how is an app like this able to reach #1 under all?
I take doxing, stalking, revenge porn and cyber bullying very seriously! And I would pay good money for a background check, to stay away from such people.
That seems about right.
https://www.teaforwomen.com/data-breach
This will prove security in IT coding is necessary, so enjoy watching the drama unfold.
IT security bonanza time. It wont be long.
RIP
https://x.com/vxunderground/status/1948850061493850598
Not a great look here.
However, Tea could have done a modicum of cybersecurity work (or hired an outside firm) to prevent this. If they are claiming to want to keep women safe (and not just running a gossip board) then this should be a red alert for them. No public acknowledgement is concerning...
- This creates distorted market supply and demand where those small group of men/women become sought after and its only human nature in that they value their supply less than the rest.
- Toxic behavior is expected from that small group of highly attractive people that do all the dating.
- It was only a matter of time before such app would run into legal issues or attract angry individuals. Now the damage to the leaked identities will be prolonged. With the AI tech today, the extent to which a damage can be done is unknown (ex. deepfake, impersonations, further doxxing).
- Tea user's driver licenses as well as selfies, usernames, emails, posts about their dates will drastically increase the surface area for lawsuits, fraud and exploitation by malicious agents.
- The users of this site and those that have directly posted images, details have opened themselves up to significant legal and criminal liability. Given these apps were probably popular in large city centers like California, NY have heavy punishment for digital harassment and privacy violations on top of the damages that can be claimed against them by the men who's information and details were posted.
- Tea is largely insulated from what the users post which means that their biggest exposure might be just neglect and failure to secure data which comes with a slap on the wrist. Which will make it harder for Tea's userbase to claim large damages against it.
I read more details about this case and its beyond egregious. Unencrypted firebase and full public buckets. There is no hacking involved, the tokens were being used to pull data from roughly all 30,000 users of Tea and were only blocked short while ago.
Allegedly, 60GB of photos, user personal information, driver license, gps data being shared on torrent. A map of all 30,000 users tied to GPS data is being posted as well.
Given the extreme neglect to secure their data, I now believe Tea will be open to even bigger legal liability possibly criminal even.
Ugh. I’m clearly getting old. I don’t even remember the last time I went to 4chan.
https://pastebin.com/CPBiqd1E
Edit: Nevermind, looks like Tea has been around for quite some time already. But it kinda flew under the radar with a fairly small user base.
But yeah please tell me how "we care about your privacy"
I just hope they can pursue legal action for this, whether it was a deliberate trap or not.
- The fact that this app exists solidifies the data that a small group of men/women do most of the dating on tinder etc while the vast majority land dates far less if none at all.
- This creates distorted market supply and demand where those small group of men/women become sought after and its only human nature in that they value their supply less than the rest.
- Toxic behavior is expected from that small group of highly attractive people that do all the dating.
- It was only a matter of time before such app would run into legal issues or attract angry individuals. Now the damage to the leaked identities will be prolonged. With the AI tech today, the extent to which a damage can be doned with the information from the leaks is unknown.
- As for the company behind Tea, they are done. They face a monumental class action lawsuit as well as ongoing individual civil/criminal cases that will arise from the leaked identities, in particular the photo of driver licenses as well as selfies, usernames, emails drastically increase the surface area for damages.
- The users of this site and those that have directly posted images, details have opened themselves up to significant liability from not only the men they have targeted but from law enforcement.
- We'll see some new laws being formed from this case. Once again, we see the hidden dangers of blindly trusting large popular platforms with sensitive data but the twist with Tea here is the defamation activity that opens up its users to both civil and criminal liability.