Isn't this basically Peeple except gender locked to women? Peeple failed because they couldn't eliminate bias and gossip against anyone. If someone was jealous of another, for example, that person could just write false slander and claim it was real with no evidence. That would have affected the victim for jobs, dates, etc. So it was laughed at by VCs and everyone online and it shut down.
How is Tea even legal? Isn't this just a legal libel timebomb waiting to happen?
We need to stop allowing companies that are not directly engaged in financial services to request government IDs.
Facebook shouldn't legally be allowed to demand an ID any more than this disaster of an "app."
Now tens of thousands of people will be subject to identity theft because someone thought this was a neat growth hacking pattern for their ethically dubious idea of a social networking site.
>DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!
>Tea App uploads all user verification submissions to this public firebase storage bucket with the prefix "attachments/": [link, now offline]
>Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It's a public bucket. I have written a Python script which scrapes the bucket and downloads all the images, page by page, so you can see if you're in it: [pastebin link]
>The censoring in picrel was added by me. The images in the bucket are raw and uncensored. Nice "anonymous" app. This is what happens when you entrust your personal information to a bunch of vibe-coding DEI hires.
>I won't be replying to this or making any more threads about it. I did my part, God bless you all. Regards, anon
Being so careless with people's personal data should be a major crime, tbh. If I manipulated thousands of people to let me scan their passports and various other bits of personal info, then just left the copies around the city for people to find, I'd be prosecuted, and rightfully so.
> The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie.
What exactly does this mean? Which information is exchanged without consent of these people? This seems to me more problematic than the actual topic of the data breach.
Maybe this is a good time to think about what policy could help discourage these horrific practices (it sounds like their storage was unprotected)
* App Store review requires a lightweight security audit / checklist on the backend protections.
* App Store CTF Kill Switch. Publisher has to share a private CTF token with Apple with a public name (e.g. /etc/apple-ctf-token ). The app store can automatically kill the app if the token is ever breached.
* Publisher is required to include their own sensitive records ( access to a high-value bank account) within their backend . Apple audits that these secrets are in the same storage as the consumer records.
We need a more nuanced headline here. They did nothing responsible. 404 should title this story with something that will blame them first and the 'hackers' 2nd.
Is there a way, to verify if potential partner uses this app? Or if they are in "are we dating the same guy" type of group?
I take doxing, stalking, revenge porn and cyber bullying very seriously! And I would pay good money for a background check, to stay away from such people.
Outsourcing job was it? Modern programmers are literally terrible at all basic stuff (who stores ID images in the db and then in the clear, do you have many other mental issues or what?) (I see startups like Resend making the same mistakes and still people use them, so there isn't much punishment even from people with half a brain) and AI is going to make it all so much worse. And a public bucket. I think it should be criminally liable to be that sloppy.
I'm a firm believer that if you want to start a tech company, at least one of the founders has to have a technical background. Even if you outsource all the work, you need to be able to ask the right questions related to security.
It's not just that this database was accessible via the internet. It was all public data. Storing people's IDs in a public database is just... wow.
Sad that a common response to "we might not want this app to exist" is "well, if you weren't cheating, you wouldn't have a problem with it".
Why do people want to live in a panopticon of their own creation, with random anonymous strangers morally policing, judging each other with zero consequence to them?
Don't think we'll ever learn our lesson when it comes to privacy, it will be Eternal September forever.
for someone who thought Tea was a good idea, what would be the objection be if this leaked contributor data were used to populate a similar app to warn men off?
A flash in the pan gossip app that when it functions normally is not worried about anyone's privacy / accuracy ... also doesn't care about good policies or their user's privacy.
In 2008 when the GFC every company we worked IT for on contract fired their IT staff first. Two weeks later, we had bonanza period right through into the next year. They realised the hard way that those lowly cheap IT staff were quietly keeping them afloat. We charged a lot to fix their problems they created because their CEO thought IT was a waste of money.
This will prove security in IT coding is necessary, so enjoy watching the drama unfold.
it should have never been allowed to be published anyway. not trying to justify what is happening, but these kind of apps are historically abused and create more problems than they intentionally try to solve.
On X, one of the leaked pictures seemed to be a DoD ID card, and I wondered why Tea needed proof of someone's identity. Then I remembered Uber and Lime both want your drivers license. Facebook and Instagram supposedly request it too if your account gets locked. This is not a new normal I like.
This reminds me of people saying "a honest person has nothing to hide". A honest woman who has nothing to hide, would post stories under her name and write her address, GPS coordinates and phone number in case someone needs clarifications or has objections to the post.
It's almost poetic that this happens on the same day UK demands website to collect personal identification. I'm looking forward to the shitshow in the upcoming months.
- The fact that this app exists solidifies the data that a small group of men/women do most of the dating on tinder etc while the vast majority land dates far less if none at all.
- This creates distorted market supply and demand where those small group of men/women become sought after and its only human nature in that they value their supply less than the rest.
- Toxic behavior is expected from that small group of highly attractive people that do all the dating.
- It was only a matter of time before such app would run into legal issues or attract angry individuals. Now the damage to the leaked identities will be prolonged. With the AI tech today, the extent to which a damage can be done is unknown (ex. deepfake, impersonations, further doxxing).
- Tea user's driver licenses as well as selfies, usernames, emails, posts about their dates will drastically increase the surface area for lawsuits, fraud and exploitation by malicious agents.
- The users of this site and those that have directly posted images, details have opened themselves up to significant legal and criminal liability. Given these apps were probably popular in large city centers like California, NY have heavy punishment for digital harassment and privacy violations on top of the damages that can be claimed against them by the men who's information and details were posted.
- Tea is largely insulated from what the users post which means that their biggest exposure might be just neglect and failure to secure data which comes with a slap on the wrist.
Which will make it harder for Tea's userbase to claim large damages against it.
I read more details about this case and its beyond egregious. Unencrypted firebase and full public buckets. There is no hacking involved, the tokens were being used to pull data from roughly all 30,000 users of Tea and were only blocked short while ago.
Allegedly, 60GB of photos, user personal information, driver license, gps data being shared on torrent. A map of all 30,000 users tied to GPS data is being posted as well.
Given the extreme neglect to secure their data, I now believe Tea will be open to even bigger legal liability possibly criminal even.
Gentlemen, we're working on a new app called Eyeroll. It's a revolutionary new dating app, where our users can rate the women they have dated based on favorable and/or unfavorable attributes. Every month, our marketing team will generate a scoreboard of profiles that score highest on all mainstream attributes, and our search and filter function will rival that of Amazon (including the much requested sort by lowest first.) We're seeking $23-to-$23.5 million in funding to get our product over the finish line.
I’d like to start seeing legal jeopardy for companies that are careless with customer information. Make developers scared to retain anything they don’t absolutely need.
"An app was created to help women stay safe on dates and avoid creeps, proceeds to be hacked by creeps"
Not a great look here.
However, Tea could have done a modicum of cybersecurity work (or hired an outside firm) to prevent this. If they are claiming to want to keep women safe (and not just running a gossip board) then this should be a red alert for them.
No public acknowledgement is concerning...
if im understanding correctly this was a public bucket? aside from the obvious leaking of data couldnt this also be subject to a DoW (denial of wallet) attack where a user could auto download all the images constantly on a VPS and cause a massive bill?
The trend has been for all things related to sex, dating and relationships to be aggressively male hostile. But I think it's certainly peaked. Off topic, any notice how anti -male bumble is? Trash app.
I would not be disappointed if some actual hacking was done to bring down the entire app. I don't think the Tea app realizes just how many competent people dislike them, and they clearly have very few competent people of their own.
For those who wish for the old days - "Vibe Coding" - shonky websites with shonky security, doxxing on all sides, 4chan pops back into relevance. You get your early internet redo.
Not to get all conspiratorial, but if I was an incel, or other type of woman-hating-man, with an axe to grind, creating an app to "protect" women and their dirty secrets, then having their data "breached" would be a pretty diabolical revenge plan. Only women can join the app, but the only person running the app is a man? Nothing suspicious about that...
This is such excruciating incompetence by the app developers I'm wondering if it was intentional. Done to punish the women who dared to speak up about vile men.
I just hope they can pursue legal action for this, whether it was a deliberate trap or not.
- The fact that this app exists solidifies the data that a small group of men/women do most of the dating on tinder etc while the vast majority land dates far less if none at all.
- This creates distorted market supply and demand where those small group of men/women become sought after and its only human nature in that they value their supply less than the rest.
- Toxic behavior is expected from that small group of highly attractive people that do all the dating.
- It was only a matter of time before such app would run into legal issues or attract angry individuals. Now the damage to the leaked identities will be prolonged. With the AI tech today, the extent to which a damage can be doned with the information from the leaks is unknown.
- As for the company behind Tea, they are done. They face a monumental class action lawsuit as well as ongoing individual civil/criminal cases that will arise from the leaked identities, in particular the photo of driver licenses as well as selfies, usernames, emails drastically increase the surface area for damages.
- The users of this site and those that have directly posted images, details have opened themselves up to significant liability from not only the men they have targeted but from law enforcement.
- We'll see some new laws being formed from this case. Once again, we see the hidden dangers of blindly trusting large popular platforms with sensitive data but the twist with Tea here is the defamation activity that opens up its users to both civil and criminal liability.
Women dating safety app 'Tea' breached, users' IDs posted to 4chan
(404media.co)567 points by gloxkiqcza 25 July 2025 | 789 comments
Comments
Freewalled
How is Tea even legal? Isn't this just a legal libel timebomb waiting to happen?
Facebook shouldn't legally be allowed to demand an ID any more than this disaster of an "app."
Now tens of thousands of people will be subject to identity theft because someone thought this was a neat growth hacking pattern for their ethically dubious idea of a social networking site.
>DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!
>Tea App uploads all user verification submissions to this public firebase storage bucket with the prefix "attachments/": [link, now offline]
>Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It's a public bucket. I have written a Python script which scrapes the bucket and downloads all the images, page by page, so you can see if you're in it: [pastebin link]
>The censoring in picrel was added by me. The images in the bucket are raw and uncensored. Nice "anonymous" app. This is what happens when you entrust your personal information to a bunch of vibe-coding DEI hires.
>I won't be replying to this or making any more threads about it. I did my part, God bless you all. Regards, anon
Being so careless with people's personal data should be a major crime, tbh. If I manipulated thousands of people to let me scan their passports and various other bits of personal info, then just left the copies around the city for people to find, I'd be prosecuted, and rightfully so.
> The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie.
What exactly does this mean? Which information is exchanged without consent of these people? This seems to me more problematic than the actual topic of the data breach.
* App Store review requires a lightweight security audit / checklist on the backend protections.
* App Store CTF Kill Switch. Publisher has to share a private CTF token with Apple with a public name (e.g. /etc/apple-ctf-token ). The app store can automatically kill the app if the token is ever breached.
* Publisher is required to include their own sensitive records ( access to a high-value bank account) within their backend . Apple audits that these secrets are in the same storage as the consumer records.
1st sentence: "exposed database"
We need a more nuanced headline here. They did nothing responsible. 404 should title this story with something that will blame them first and the 'hackers' 2nd.
Drivers licenses can be faked. Moreover, someone can just pretend to be someone else on this app with real drivers licenses.
The whole premise, implementation and process of Tea as a social media app is flawed, and a legal liability for the devs.
I take doxing, stalking, revenge porn and cyber bullying very seriously! And I would pay good money for a background check, to stay away from such people.
It's not just that this database was accessible via the internet. It was all public data. Storing people's IDs in a public database is just... wow.
Why do people want to live in a panopticon of their own creation, with random anonymous strangers morally policing, judging each other with zero consequence to them?
Don't think we'll ever learn our lesson when it comes to privacy, it will be Eternal September forever.
Women are anonymously spilling tea about men in their cities on viral app - https://news.ycombinator.com/item?id=44682914 - July 2025 (17 comments)
Apple had no issue mass censoring Parlor and others, how is an app like this able to reach #1 under all?
That seems about right.
This will prove security in IT coding is necessary, so enjoy watching the drama unfold.
IT security bonanza time. It wont be long.
https://www.teaforwomen.com/data-breach
RIP
https://x.com/vxunderground/status/1948850061493850598
- This creates distorted market supply and demand where those small group of men/women become sought after and its only human nature in that they value their supply less than the rest.
- Toxic behavior is expected from that small group of highly attractive people that do all the dating.
- It was only a matter of time before such app would run into legal issues or attract angry individuals. Now the damage to the leaked identities will be prolonged. With the AI tech today, the extent to which a damage can be done is unknown (ex. deepfake, impersonations, further doxxing).
- Tea user's driver licenses as well as selfies, usernames, emails, posts about their dates will drastically increase the surface area for lawsuits, fraud and exploitation by malicious agents.
- The users of this site and those that have directly posted images, details have opened themselves up to significant legal and criminal liability. Given these apps were probably popular in large city centers like California, NY have heavy punishment for digital harassment and privacy violations on top of the damages that can be claimed against them by the men who's information and details were posted.
- Tea is largely insulated from what the users post which means that their biggest exposure might be just neglect and failure to secure data which comes with a slap on the wrist. Which will make it harder for Tea's userbase to claim large damages against it.
I read more details about this case and its beyond egregious. Unencrypted firebase and full public buckets. There is no hacking involved, the tokens were being used to pull data from roughly all 30,000 users of Tea and were only blocked short while ago.
Allegedly, 60GB of photos, user personal information, driver license, gps data being shared on torrent. A map of all 30,000 users tied to GPS data is being posted as well.
Given the extreme neglect to secure their data, I now believe Tea will be open to even bigger legal liability possibly criminal even.
Edit: Nevermind, looks like Tea has been around for quite some time already. But it kinda flew under the radar with a fairly small user base.
Not a great look here.
However, Tea could have done a modicum of cybersecurity work (or hired an outside firm) to prevent this. If they are claiming to want to keep women safe (and not just running a gossip board) then this should be a red alert for them. No public acknowledgement is concerning...
Ugh. I’m clearly getting old. I don’t even remember the last time I went to 4chan.
But yeah please tell me how "we care about your privacy"
https://pastebin.com/CPBiqd1E
They have geo-mapped all the users - https://imgur.com/bRAJ2nU
Some of the users photo's are AI, which is interesting.
They got all the chat logs - https://x.com/NEElimit/status/1948766332503130562
60 Gig torrent said to be out with all the data - https://x.com/cremieuxrecueil/status/1948787086493901097 data structure - https://files.catbox.moe/c6ej81.json
For those who wish for the old days - "Vibe Coding" - shonky websites with shonky security, doxxing on all sides, 4chan pops back into relevance. You get your early internet redo.
HN 'Tea' thread discussing the ethics of the doxxing app - https://news.ycombinator.com/item?id=44682914
I just hope they can pursue legal action for this, whether it was a deliberate trap or not.
- The fact that this app exists solidifies the data that a small group of men/women do most of the dating on tinder etc while the vast majority land dates far less if none at all.
- This creates distorted market supply and demand where those small group of men/women become sought after and its only human nature in that they value their supply less than the rest.
- Toxic behavior is expected from that small group of highly attractive people that do all the dating.
- It was only a matter of time before such app would run into legal issues or attract angry individuals. Now the damage to the leaked identities will be prolonged. With the AI tech today, the extent to which a damage can be doned with the information from the leaks is unknown.
- As for the company behind Tea, they are done. They face a monumental class action lawsuit as well as ongoing individual civil/criminal cases that will arise from the leaked identities, in particular the photo of driver licenses as well as selfies, usernames, emails drastically increase the surface area for damages.
- The users of this site and those that have directly posted images, details have opened themselves up to significant liability from not only the men they have targeted but from law enforcement.
- We'll see some new laws being formed from this case. Once again, we see the hidden dangers of blindly trusting large popular platforms with sensitive data but the twist with Tea here is the defamation activity that opens up its users to both civil and criminal liability.