Women dating safety app 'Tea' breached, users' IDs posted to 4chan
615 comments
·July 25, 2025bravetraveler
Freewalled
more_corn
Freewalled I like that
neonate
Is that site down? I'm just getting the default nginx page.
edgineer
There is a long-standing conflict between archive and cloudflare
dpedu
I've seen this issue with certain dns providers. I don't have issues with google dns (8.8.8.8).
bravetraveler
Strange! Doesn't seem to be down, at least at time of writing (either my original post or this one)
I linked the plain HTTP version... which seems to rely on a series of redirects; potentially TOR:
~ $ curl -vLsq http://archive.today/U5Tah |& grep -Ei 'location:|title'
< Location: https://archive.today/U5Tah
< onion-location: http://archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion/U5Tah
< location: https://archive.ph/U5Tah
<title>archive.ph</title>
gaiagraphia
Not sure, but think this may have been the original thread: https://archive.4plebs.org/pol/thread/511313558
>DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!
>Tea App uploads all user verification submissions to this public firebase storage bucket with the prefix "attachments/": [link, now offline]
>Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It's a public bucket. I have written a Python script which scrapes the bucket and downloads all the images, page by page, so you can see if you're in it: [pastebin link]
>The censoring in picrel was added by me. The images in the bucket are raw and uncensored. Nice "anonymous" app. This is what happens when you entrust your personal information to a bunch of vibe-coding DEI hires.
>I won't be replying to this or making any more threads about it. I did my part, God bless you all. Regards, anon
Being so careless with people's personal data should be a major crime, tbh. If I manipulated thousands of people to let me scan their passports and various other bits of personal info, then just left the copies around the city for people to find, I'd be prosecuted, and rightfully so.
ipnon
The irony of a doxxing app being wrecked by the anonymous is too much for me!
gitremote
It's not a doxxing app:
"Tea was founded by Sean Cook, a tech innovator inspired by his mother’s unsettling encounters with online dating, including catfishing and meeting men with hidden criminal pasts. His goal? Create a women-only space where users can post honest reviews, red flags, and personal stories about men they’ve dated. Unlike traditional dating apps, Tea isn’t about swiping for matches—it’s about safety. The app offers tools like background checks, catfish verification through “Catfish Finder AI,” and a secure community forum called “The Tea Party Group Chat.” Plus, 10% of its profits go to the National Domestic Violence Hotline, amplifying its commitment to women’s safety.
The app’s anonymous platform is its heart, letting women share warnings without fear. One user’s story stands out: Sarah, a 28-year-old from Chicago, posted about her ex, who seemed charming but turned violent. After escaping the relationship, she learned he was active on dating apps. Her Tea post detailed his behavior, and later, another user reached out on social media, thanking her for the warning that kept her from a dangerous date."
https://www.hypefresh.com/new-tea-app-lets-women-warn-others...
Women who were sexually assaulted tried to warn other women about their assaulter on the app. Anon doxxed these sexual assault victims, re-victimizing them. Anon thinks that it's men who were victimized and want to take revenge on these women who experienced sexual assault.
It's expected that anon is misogynist, and now the talking point is that these women are perpetrators of misandry who got what they deserve.
serial_dev
You can’t just quote from a PR puff piece and expect anyone to be convinced it is not a doxxing app.
The proof is in the pudding.
It was built for doxxing and quite potentially spreading lies about men and on top of that, they doxxed all of their users, too. They pretty much doxxed everyone who used the app or was mentioned on the platform.
I don’t see how it is not a doxxing app, but go ahead and find me another PR article that says it is the best thing since sliced bread and the founders should be saints.
tgv
Apparently, the red flags also include "has ghosted me" and "is married." Now, those are valid reasons to not date someone, but it's not safety. Safety is just the excuse, just like it is in so many other cases.
It's fucked up that you can't have an honest app to keep people safe, but the makers could have known the problems in advance, and probably did.
> One user’s story stands out
In which precisely nothing happened. We don't even know the nature of the alleged violence.
> It's expected that anon is misogynist
Did you just give a negative impression of someone you don't know?
null
2c2c2c
this app is replicating a set of women only facebook groups. there's one for every major US city. it's sort of an if you know you know situation.
the vast majority of posts are speculation on someone being douchey or a cheater. women in their twenties seem to really enjoy browsing through the gossip.
DocTomoe
It's an app that exposes the identity of people against their will. That's the exact definition of doxxing.
Whether the original intent was honourable or not - or if they decide to spend part of their income to a honourable cause - does not factor in to the nature of the system.
Worse, in some jurisdictions (I’m not certain about the US specifics), this kind of unsanctioned exposure could actively hinder legal prosecution of actual predators. If a person is publicly accused on a non-official platform before trial, any resulting lawsuit might be thrown out on grounds of prejudicial exposure or even perjury. The accused could claim that the testimony is tainted or retaliatory — particularly if the platform enables near-anonymous posting without formal vetting^1.
[1] Yes, the app collects driver’s licenses. But let’s be honest: in the U.S., a fake driver’s license is practically a rite of passage. Entire generations of underage teens have used them to get into clubs and bars. If that’s your trust anchor, you don’t have much of one.
null
aaron695
> It's not ironic. [OP edited out]
Either use the criminal justice system.
Or form a lynch mob and stand behind your lynching.
But don't cry when you have chosen the route of self organized violence with zero checks and balances, clear examples of lynching the wrong people, then running and hiding back behind "civilized society" when your inept violence backfires.
You are no different to Kiwi Farms, I suggest you look to their site for tips on how to protect yourself while being violent on others.
Kiwi Farms also has a list of sexual abusers they have helped stop, some really horrific people.... but like "Tea" that's not the full story.
Until then it is "ironic"
AlecSchueler
[flagged]
null
esperent
> That app made a lot of basement dwelling chuds furious, to the point that someone was willing to risk prison time for a shot at harming those women.
Although undeniably, the data being mostly women does bring in the chuds so it's not entirely wrong, I think this is a shallow take for a couple of reasons:
1. If any app stored user data this freely, it would be stolen and gloated over on 4chan.
2. This app, which I'm learning about just now, seems deeply problematic. It's a place for people to publically share and shame other people that they don't like. The genders of the people doing this doesn't matter, this is called doxxing and it's not ok, no matter how it gets dressed up (women's safety, children's safety, anti-terrorism, anti-drugs, whatever)
batmaniam
Isn't this basically Peeple except gender locked to women? Peeple failed because they couldn't eliminate bias and gossip against anyone. If someone was jealous of another, for example, that person could just write false slander and claim it was real with no evidence. That would have affected the victim for jobs, dates, etc. So it was laughed at by VCs and everyone online and it shut down.
How is Tea even legal? Isn't this just a legal libel timebomb waiting to happen?
tptacek
Defamation (libel and slander) consists of false statements (or direct implications) of fact. Actionable defamation consists either of those false claims that cause quantifiable damages, or that claim things that are per se considered damaging --- a specific and limited list.
"This guy is a creeper and treats romantic partners terribly" is pure opinion, and cannot be defamatory. The (rare) kinds of opinion statements that can be defamatory generally take the form of "I believe (subjective thing) about this person because I observed (objective thing)", where "(objective thing)" is itself false. "The vibe I get about this person is that they hunt humans for sport" does not take that form and is almost certainly not defamatory.
Under US law, providers are generally not liable for defamatory content generated by users unless you can show they materially encouraged that content in its specifics, which is a high bar app providers are unlikely to clear.
gizmo686
> or that claim things that are per se considered damaging --- a specific and limited list
Standard disclaimer that law varies by jurisdiction. However, that limited list typically includes claims that the person committed a crime. Many juristictions also include accusing someone of having a contagious disease, engaging in sexual misconduct, or engaging is misconduct that is inconsistent with proper conduct in their profession.
In other words, the types of things I would expect people to be talking about on tea overlap heavily with defamation per-se.
If the users were careful to make all of their statements opinions, that defense would work. However, I doubt that is the case. Instead, I expect many users to include example of what their ex did that led to their opinion; which gets directly into the realm of factual statements.
The provider protections are real, and likely protect the app from direct lawsuits (or, at least from losing them), but do not protect the app's users. A few news stories about an abusive ex going after their former partner based on what they posted in the app could be enough to scare users away. You don't even need to win the lawsuit if your goal is to harass the other person.
tptacek
It does, but those bars to defamation claims are based on the US Constitution more than they are on state law. I think another way to put that is that I gave the maximally generous interpretation to the plaintiff there.
brogufaw
[flagged]
krisoft
> "This guy is a creeper and treats romantic partners terribly" is pure opinion, and cannot be defamatory.
That is true. But i think untrained and emotionaly involved individuals will have trouble navigating the boundaries of defamation. Instead of writing opinions like “treats romantic partners terribly” they will write statements purporting facts like “this creep lured me to his house, raped me, and gave me the clap”. This is not an opinion but three individually provable statements of facts. Plus the third would be considered “defamation per se” in most jurisdictions if it were false. (The false allegation that someone has an STD is considered so loathsome that in most places the person wouldn’t need to prove damages.)
Unles specifically coached people would write this second way. Both because it is rethoricaly more powerfull, but also because they would report on their own personal experience. To be able to say “treats romantic partners terribly” they would need to canvas multiple former partners and then put their emotionaly charged stories into calm terms. That requires a lot of work. While the kind of message i’m suggesting only requires the commenter to report things they personaly know about. And in an emotionaly charged situation, like a breakup, people would be more likely to exagarate in their descriptions, making defamatory claims more likely.
> Under US law, providers are generally not liable for defamatory content generated by users…
This is true, and i believe this is the real key. Even if the commenters would be liable, the site themselves would be unlikely to become liable with them.
tptacek
Just keep in mind there are two very high bars you need to clear to come out ahead on a defamation action:
1. To prove that the factual claims made by the defendant were false, and that the defendant should have known they were false
2. That you suffered actual damages from those claims
Very hard to make happen on a dating app.
mullingitover
It’s hilarious that we earnestly debate whether women should be allowed to have a space to speak anonymously about whatever the hell they want, but it’s completely unquestioned that 4chan is a perfectly legal operation.
Yeul
Men get incredibly upset when their sexual privileges are questioned.
josteink
I guess a significant difference is than 4chan is fully public. Whatever anyone says there can be observed by anyone and refuted by anyone. You can’t secretly slander anyone there.
What happened on the tea app were probably not knowable, observable or refutable for those actually being doxxed or slandered.
That isn’t me saying 4chan is absolutely morally in the clear, but it’s still quite a significant distinction.
akerl_
A general plug that if you read this comment and thought “damn, 1st amendment law sounds complex and interesting”, you may want to check out https://www.serioustrouble.show/ , a podcast about legal news with a recurring focus on 1st amendment law and cases
null
duxup
This also seems like an app ripe for actual creep / abusers to follow / manipulate.
The claim that it provides safety really is just that, an empty claim.
dabockster
The fact that it verifies by ID scan is also not safe at all for a million different reasons.
A better way would have been to charge a small subscription fee - like $2/month or something. The fee filters out 99% of the trolls out there (who wants to pay to troll) and also gives the app/website admins access to billing info - name, mailing address, phone number, etc - without the need for a full ID scan. So the tiny amount of trolls that do pay to troll would have to enter accurate deanonymizing payment information to even get on the system in the first place.
And it can be made so only admins know peoples' true identities. For the user facing parts, pseudonyms and usernames are still very possible - again so long as everyone understands up front that such a platform would ultimately not be anonymous on the back end.
But oh no, that won't hypergrow the company and dominate the internet! Think of all the people in India and China you're missing out on! /sarcasm
jandrese
> A better way would have been to charge a small subscription fee - like $2/month or something. The fee filters out 99% of the trolls out there
Have you seen who has the blue checkmarks on Twitter/X now? I'll give you a hint, it's not the people who argue in good faith.
konart
>A better way would have been to charge a small subscription fee - like $2/month or something.
That's Pure. And they have more than 5$ I believe.
FiniteIntegral
I think you underestimate the willingness of people to pay to troll, it may filter out people but an app that was (in theory) meant to be secure shouldn't think of a problem as filtering rather than securing. Admins knowing peoples' identities simply moves the weakest link in the chain to the admins. I think an app like this was doomed from the start and 4chan simply pulled the plug on an already leaking bathtub.
rKarpinski
Whats wrong with verifying the ID?
The issue is they decided to roll their own extremely questionable service and insecurely store sensitive images in a public bucket
Multiple SAAS vendors provide ID verification for ~$2/each. They should have eaten that fee when it was small and then found a way pass it onto the users later
dylan604
you act like it's impossible to get payment credentials that have nothing to do with the user
raydev
> who wants to pay to troll
You've never visited X (formerly known as Twitter)?
fragmede
Men will go to great lengths to try and have sex. $2/month just gets you less broke creepers.
danesparza
>> How is Tea even legal? Isn't this just a legal libel timebomb waiting to happen?
By this logic: I suppose glassdoor, yelp, or Google reviews aren't legal either?
What about identity verification as part of any employment offer?
AndroTux
The difference is, on these platforms you're rating legal entities. On Tea, you're rating, or rather sharing personal information about, an individual. Where I come from, sharing personal data of someone without their consent is not allowed.
PaulHoule
Also on those platforms you can see if people are trash talking you even if you don’t have a procedure to face your accuser.
Even the open platforms creep me out. I don’t like seeing unverified accounts of crime in Nextdoor, I think if you see some crime you go to the police. I had a series of in person interactions with a woman which seemed creepy in retrospect, her Nextdoor was full of creepy stuff including screenshots of creepy online interactions. At least this gives everyone clear evidence they should keep away.
bluescrn
> On Tea, you're rating, or rather sharing personal information about, an individual.
Or in this case, sharing personal information about yourself...
umanwizard
> Where I come from
…is clearly not the US, which has probably the most expansive understanding of “freedom of speech” in the world.
dragonwriter
> Where I come from, sharing personal data of someone without their consent is not allowed.
Where you come from, people arent allowed to share their own experiences interacting with third parties without the third parties consent?
Sounds pretty oppressive, but there are absolutely many jurisdictions where that is not the case.
null
voxic11
I think its a mostly US based app, in the US sharing your opinion about other people is protected speech.
gitremote
What was leaked was women's personal data, like driver's licenses. What they shared with each other was their experiences with men who sexually assaulted them or stalked them and their names, not the men's personal data.
Men's driver licenses were not distributed online. Only women's driver licenses were distributed online.
fkyoureadthedoc
> By this logic: I suppose glassdoor, yelp, or Google reviews aren't legal either?
Imagining a future where I have to pay Tea to promote and astroturf my profile or they lower my rating, and pay bot farms to post glowing reviews
fragmede
In this future that you want me to imagine, do you imagine, that I'm imagining that I am poor or I am rich? Because oh man, I didn't have much luck at the lottery or at blackjack or craps or startups or crypto, but I'm sure, this time, AI is gonna help me strike it rich!
Beijinger
I have not used the app nor read much about it but this guys talk about it: https://youtu.be/WjfpryoQ0Mk
Yes, as far as I understand, you upload pictures of men, either taken in the wild or from dating sites (Tinder) against their will. I am pretty sure that this would be illegal in some jurisdictions. Especially EU.
ajuc
Companies aren't people (despite lots of people pretending they are).
arrowsmith
> Peeple failed because they couldn't eliminate bias and gossip against anyone
Without bias and gossip, who would even want to use the app?
dyauspitr
Almost everyone? And not in a cheap throwaway comment way, I mean genuinely. The value is that it’s informative not a gossip rag.
theflyinghorse
I don't think you understand humans. Spicy social gossip is far more attractive to people rather than anything informative.
givemeethekeys
There are large Facebook groups dedicated to "Are we dating the same guy?" / "Are we dating the same woman?" that predate this app.
Fogest
A lot of these groups have also had people get successfully sued for defamation.
carabiner
It's exactly like Lulu which shutdown due to privacy issues.
prisenco
Every couple years someone tries this and it immediately turns into a cesspool because no matter the good intentions of the makers, it attracts the worst kind of person as active users.
It gets shut down, everyone forgets, then someone eventually has a brilliant idea...
It come from a place of sincerity but defenders imagine everyone would use it for the same reasons they would: Warning people of genuine threats in the dating world. They would never use it for gossip, or revenge, or creative writing, etc. so they don't imagine others would.
But at scale, if generously only 0.1% of women in America are bad actors that would weaponize this app, that's over 150k people (not to mention men slipping past security). And the thing about bad actors is that one bad actor can have an outsized effect.
junto
These kinds of apps are already in existence across many cities in the world in the form of informal, invite-only WhatsApp and Telegram groups.
The problem is the demand is there for such groups and I see posts that range from, “this guy tried to get me to get in his car”, or “man exposed himself to me”, to “man has twice approached children at my child’s school” or “I was drugged and raped after meeting with X on Y dating app”.
Lots of sexual attackers are known to multiple women.
Fact is that in lots of countries rape kits don’t get processed, it’s hard to secure a conviction, many serial sex offenders walk free and many women don’t want to go through a reliving of their trauma in court.
As a result these kinds of groups are very useful, not just for women who are actively dating, but for women who are simply existing in day-to-day public life. We have a president and a supreme court judge who both have been accused of serious sex offenses and nothing happened.
Is there a chance that some man who has done nothing wrong, gets accused by a woman in these groups? Yes of course there is a chance that could happen, but many would prefer to not take the risk of dating someone that has been accused of being a sex offender and the vast majority of posts with confirmation by multiple women confirm that bias.
These groups help keep women safer than without them. There’s a good reason why many women just don’t date at all any more. Covid lockdowns reminded them that they don’t really need it and it’s more hassle than it’s worth.
Sadly the vast majority of men are fine (not all men), but not enough call out the bad and dangerous behavior of a minority of their friends and peers. Until that happens women will be drawn to these apps and groups to try to be safer and not be a part of a sex crime statistic.
carabiner
There needs to be a startup accelerator or VC that solely focuses on recycled ideas. We could have an app that gathers strangers for dinners, one for reviewing people, and so on. Since all of these gained traction at some point, the idea would be you get 1-2 quick puffs of these discarded cigarette butts before selling or shutting down. Just vibe code it, go viral, collect some subscriber fees, then close due to whatever reason.
ssalka
I would imagine Tea enjoys protections from Section 230, same as all other social media sites.
singleshot_
“False slander” is not a thing.
The answer to your last two questions is found within section 230 of the Communications Decency Act.
pdabbadabba
> “False slander” is not a thing.
It's only not a thing because, in the U.S., it's redundant. In other jurisdictions, it might be a thing, because there are places where a claim can be both defamatory and true.
null
oc1
Wait, the app does what?
> The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie.
What exactly does this mean? Which information is exchanged without consent of these people? This seems to me more problematic than the actual topic of the data breach.
iforgotpassword
You can use that app in different ways:
1) you dated a guy on tinder, he became all pushy on your first date, touched you inappropriately even though you said no. Or some guy became violent during your relationship and you even found out he has a history of that.
2) you dated a nice guy but he dumped you for whatever reason, and now you want to get back at him so you make up stuff like mentioned above, and post it there.
raincole
In other words it's a slander platform. Got it.
eastbound
3) You’re in competition with someone at work and you want to make his life difficult. You want to blackmail someone into promoting you, etc.
dash2
Gossip about the opposite sex is probably the world's oldest social activity. The problem is that the internet lets it happen at industrial scale, and obviously that can be misused or have dangerous unintended consequences.
chneu
it also doesn't disappear. Before the internet you could say something, laugh, and move on. It disappeared.
Now if someone says something online it can be read for years and often without context of when it was originally written.
ok123456
We need to stop allowing companies that are not directly engaged in financial services to request government IDs.
Facebook shouldn't legally be allowed to demand an ID any more than this disaster of an "app."
Now tens of thousands of people will be subject to identity theft because someone thought this was a neat growth hacking pattern for their ethically dubious idea of a social networking site.
Revisional_Sin
Unfortunately for some of us, the UK has gone the opposite direction. We now have to verify our age (or use a VPN) before accessing certain websites.
https://theconversation.com/porn-websites-now-require-age-ve...
throwawayq3423
This is fine if you have a secure tool to access. It's not okay if you just try to spin up your own solution.
1123581321
A secure Know Your Customer API would be a useful service for Apple and Google to provide to developers. It could scan the ID and reveal individual pieces of information with permission to the application or multiple applications. Forgive me if it already exists and this app just wasn’t using it.
arianvanp
Apple is launching such a service in iOS26
1123581321
Ah, nice that it's a web standard. Looks like Google is as well. https://developer.chrome.com/blog/digital-credentials-api-or...
Link to the related web standard https://www.w3.org/TR/vc-data-model-2.0/
EnderWT
This is mDL (mobile driver's license) here in the US, but it's a new technology and not widely available or adopted yet. https://www.nccoe.nist.gov/projects/digital-identities-mdl
1123581321
Interesting; thanks. That should connect to browsers' Digital Credentials API the other user mentioned.
codedokode
I am not going to show my ID to Google, especially given that it is a foreign company with dubious data collection history.
ronsor
You are going to show your ID to at least one foreign company with dubious data collection history, because the government will eventually force it on you.
ok123456
Or we could deny providing "app" developers with any such information.
octoberfranklin
The crimes of creating or posessing a fake ID are distinct from the crime of knowingly using one, an act which has the peculiar name "uttering".
Simple solution: decriminalize uttering to any person who is not an employee of the government or a regulated bank.
pavel_lishin
Good lord, why would they store those drivers' license images for an instant longer than it took to verify their users?
jsrozner
This. Appropriate regulation should make this an offense punishable by a large fine. There is almost no consequence to companies for bad practices.
Ideally you'd see fines in the 10%s of revenue. In egregious cases (gross negligence) like this, you should be able to go outside the LLC and recoup from equity holders' personal assets.
Alas, if only we had consumer protections.
dannyphantom
Absent broader regulation, we all know that apps like Tea depend HEAVILY on user trust. However, I am a bit concerned users either won't fully grasp the severity of this breach or won't care enough and end up sticking with the app regardless.
A somewhat embarrassing but relevant example: my friends and I used Grindr for years (many still do), and we remained loyal despite the company's terrible track record with user data, privacy, and security as there simply wasn't (and still isn't) a viable alternative offering the same service at the expected level.
It appears Tea saw a pretty large pop in discussion across social channels over the last few days so I'm pretty hopeful this will lend itself to widespread discussion where the users can understand just how poorly this reflects on the company and determine if they want to stick around or jump ship.
throwawayq3423
"They just trust me. Dumb f*cks.."
ytpete
Or maybe require them to prominently disclose the breech to all current and future users on the app main screen for some period of time afterward (a year or two?). Sort of like the health-code inspection ratings posted in restaurant windows.
That cuts to the issue some other comments have pointed out, that user trust is really their most important capital – and with short attention spans and short news cycles, it may rebound surprisingly fast.
hdgvhicv
Companies, especially American ones, see data as an asset, rather than a liability.
The GDPR in Europe attempts to reset this but it’s still an uphill battle
dabockster
> Appropriate regulation should make this an offense punishable by a large fine.
And some kind of legal penalty for the engineers as well. Just fining the company does nothing to change the behavior of the people who built it in the first place.
ryandrake
I would at least love to see a public postmortem. What was the developer's rationale for storing extremely personal user data unencrypted, in a publicly facing database? How many layers of management approved storing extremely personal user data unencrypted, in a publicly facing database? What amount of testing was done that failed to figure out that extremely personal user data was stored unencrypted, in a publicly facing database?
chemeng
In the US, professional certifications (PE, Bar, USMLE, CPA) exist to partially solve this problem when the certification is required to perform work legally. These are typically required in industries where lives and livelihoods of individuals and the public are at risk based on the decisions of the professional.
Joining in with some other comments on this thread, if the stamp of a certified person was required to submit/sign apps with more than 10K or 100K users and came with personal risk and potential loss of licensure, I imagine things would change quickly.
I'm personally not for introducing more gatekeeping and control over software distribution (Apple/Google already have too much power). Also not sure how you'd make it work in an international context, but would be simple to implement for US based companies if Apple/Google wanted to tackle the problem.
I think the broader issue is that we as a society don't see data exposure or bad development practices as real harm. However, exposing the addresses and personal info of people talking about potentially violent, aggressive or unsafe people seems very dangerous.
duxup
They shouldn't, but it appears to be a gossip app where by design they're also storing photos taken of other people (permission or not) and gossip about them...
They don't seem to value privacy.
Proofread0592
I am just making a wild guess with no evidence to back it up, but I have a question and a potential answer:
How was this app going to monetize?
I'm guessing by selling user data, namely drivers license info to phone number.
hbn
This is what vibe coding gets us!
GoatInGrey
The cynical part of me feels like certain employees had uncontrolled access to the user data.
There would be a morbid irony in the idea of a tool marketed as increasing safety for women actually being a honeypot operation to accumulate very sensitive personal information on those very women.
throwawayq3423
Honestly it doesn't matter that they didn't have that additional nefarious intent their incompetence and carelessness drove to the same result.
ytpete
Not a fan of the "vibe coding" hype, but is there any evidence that this app was built that way?
Mountain_Skies
According to another media report, the approval queue for new account verification was seventeen hours long. It's possible what the 4channers got was that approval queue.
IlikeKitties
No they got more, 23gb of files.
AlanYx
That's only a partial archive. There's another one with 55gb.
tonymet
Maybe this is a good time to think about what policy could help discourage these horrific practices (it sounds like their storage was unprotected)
* App Store review requires a lightweight security audit / checklist on the backend protections.
* App Store CTF Kill Switch. Publisher has to share a private CTF token with Apple with a public name (e.g. /etc/apple-ctf-token ). The app store can automatically kill the app if the token is ever breached.
* Publisher is required to include their own sensitive records ( access to a high-value bank account) within their backend . Apple audits that these secrets are in the same storage as the consumer records.
bawolff
Make company liable for damages when breached.
If you want companies to care about security then you need to make it affect their bottom line.
This wasn't the work of some super hacker. They literally just posted the info in public.
spixy
GDPR makes company liable for damages when breached.
That is why Tea did not operate in Europe.
standardUser
There has to be a better way than just adding another deterrent to starting a company. Could there be an industry standard for storage security? Certification (a known hurdle) is better than "don't fuck up or we'll fine you to death".
LPisGood
I think fines are very reasonable. If you can’t safely do the thing, you should be punished for doing it. If you can’t safely safely do the thing then there is no issue.
bawolff
Certification is essentially "don't fuck up or we'll fine you to death" with extra steps. Especially because it mostly comes down to the company self-verifying (auditors mostly just verify you are following whatever you say you are following, not that its a good idea).
Its not like anyone intentionally posts their entire DB to the internet.
crx12
[dead]
ryandrake
This is the only way to deter this. Negligence and incompetence needs to cost companies big money, business-ruining amounts of money, or this is just going to keep happening.
tonymet
I agree, but relying on lawsuits is far too slow and costly . We can reduce the latency of discovery and resolution by adding software protocols.
bawolff
Having the threat of lawsuits is not really about the actual lawsuit, its about scaring people into being more careful. If you actually get to the lawsuit stage, the strategy has failed.
> We can reduce the latency of discovery and resolution by adding software protocols.
Can we? What does this even mean?
[Edit: i guess you mean the things in your parent comment about requiring including some sort of canary token in the DB. I'm skeptical about that as it assumes certain db structure and is difficult to verify compliance.
More importantly i don't really see how it would have stopped this specific situation. It seems like the leak was published to 4chan pretty immediately. More generally how do you discover if the token is leaked, in general? Its not like the hackers are going to self-report.]
itake
the problem is what are the damages? how much are those damages?
My SSN / private information has been leaked 10+ now. I had identify fraud once, resulting in ~8 hours of phone calls to various banks resulting in everything being removed.
What are my damages?
bawolff
I would suggest that damages should be punative, not to make the victims whole. So i dont think it matters.
GoatInGrey
That's a reactive measure. Certainly, it's worth pursuing. Though like the notion that you can't protect people from being murdered if you only focus on arresting murderers, there is a need for a preventative solution as well.
TZubiri
Maybe the idiot that published this didn't even form an llc, "waste of 200$"
beeflet
just use your brain and don't upload your face and driver's license to a gossip website. when I was growing up, it was common knowledge that you shouldn't post your identity online outside of a professional setting.
The onus is on users to protect themselves, not the OS. As long as the OS enables the users to do what they want, no security policy will totally protect the user from themselves.
arrowsmith
> just use your brain and don't upload your face and driver's license to a gossip website
Meanwhile, in the UK, new legislation requires me to upload my face and driver's license just to browse Reddit.
ronsor
The fact that UK politicians cannot use their brains is a separate issue. May I interest you in a VPN?
aydyn
You only require ID verification for NSFW subreddits, right?
null
qualeed
>just use your brain and don't upload your face and driver's license to a gossip website.
It isn't just gossip websites requiring this, and it isn't just gossip websites suffering breaches.
dvngnt_
This is becoming more unfeasible as it becomes required to access online services like reddit, nexusmods, verification on dating apps. Sending facial, and documentation data is becoming mandated by governments across the world.
alecco
[flagged]
tonymet
The app store is auditing & restricting functionality within the iPhone, but the backend protections are a wild west.
"use your brain" is no substitute for security. This is a hacker forum. We think about how to protect apps. Even smart people have slipped up
Beijinger
Yeah, just upload the pictures of unsuspecting guys.
Sorry, well deserved ladies. It just made my day. ROTFL.
And please provide an app with all the names and pictures of the ladies who used it. So that I can easily check who not to date.
9dev
Nice, some unsolicited victim blaming!
adamrezich
Good thing our children will learn all about this at their mandatory Internet Literacy Fundamentals course they have to take in high school.
Oh wait—no such thing exists!
It's up to us to teach this to our children. There's no hope of getting the current generations of Internet users to grasp the simple idea that app/website backends are black boxes to you, the user, such that there is absolutely nothing preventing them from selling the personal information you gave them to anyone they see fit, or even just failing to secure it properly.
Without being a developer yourself or having this information drilled into you at a young age, you're just going to grow up naively thinking that there's nothing wrong with giving personal information such as photos of your driver's license to random third parties that you have no reason to trust whatsoever, just because they have a form in their app or on their website that requests it from you.
tonymet
education is helpful, but it's also inadequate. we need good drivers, and good driver safety systems. they go hand in hand.
even the most savvy consumers slip up, or are in a hurry. it's impossible to make a perfect security decision every time
benlivengood
In this case it appears to be a public Firebase bucket; shutting down the app wouldn't help. Quite possibly access to Firebase was mediated through a backend service and Apple couldn't validate the security of the unknown bucket anyway.
tonymet
Also about validating the backends, apple has the resources to provide a level of auditing over the common backends. S3, Firebase -- perhaps the top 5. It's easy to provide apple with limited access to query backend metadata and confirm common misconfigurations.
tonymet
I partially agree. At least the threat of app shutdown would be enough consequence for the publisher to take things seriously
benlivengood
I think iOS and Android already holds the threat of app store removal over developers' heads.
Presumably the risk/reward still favors risky practices.
Rendello
> Publisher is required to include their own sensitive records within their backend.
Now that's a creative solution! Every admin must have a table called `MY_PERSONAL_INFO` in their DB.
tonymet
wouldn't it be funny if the app store had to review it and make sure the personal info was sensitive and possibly humiliating enough . "sir your app has been denied because MY_PERSONAL_INFO table requires at least 3 d-pics"
tacker2000
More power to app store reviewers? Please no. They already deny apps for random reasons and figuring out why is often a hair pulling experience.
tonymet
i agree about the power concerns, but where would you assign the authority if not the app store?
danparsonson
This is the kind of thing government regulation is useful for, when it works.
tbrownaw
Yes, pushing companies away from mobile apps and towards PWAs or even ordinary websites does sound like an excellent idea.
dabockster
The world is moving away from App Stores and walled gardens. Figure out other options.
bluescrn
The world was moving away from App Stores and walled gardens. And then I woke up, and returned to grim reality.
tonymet
that sounds preposterous . can you qualify that?
bigfishrunning
Linux is up to 5% of the desktop. Gog and Itch.io are DRM-free, and are slowly gaining ground against Steam. Fediverse networks are slowly gaining ground against traditional social media. Signal is more popular then ever.
There will always be lowest-common-denominator users, but there is clearly some demand for an alternative to the biggest 5 websites...
tonymet
* Mandate 3rd party auditing once an app reaches > 10k users
* App publishing process includes signatures that the publisher must embed in their database. When those signatures end up on the dark web, App Store is notified and the App is revoked
fn-mote
> * Mandate 3rd party auditing once an app exceeds 10k users
You have a lot of interesting suggestions.
I would love to see some kind of forced transparency. Too bad back-end code doesn’t run under any App/Play Store control, so it’s harder to force an (accurate) audit.
tonymet
also i remember maybe Facebook trying to do this when they acquired Parse. For a while they were promoting developers host their backends on Parse / FB .
The idea has merit. You have to relinquish some control to establish security. Look at App Store, Microsoft Store , MacOS App store -- they all sandbox and reduce API scope in order to improve security for consumers.
I'm more on the side of autonomy and trust, but then we have reckless developers doing stuff like this, putting the whole industry on watch.
tonymet
thanks. Yeah I think there are a lot of ways to decouple App store from publisher and auditor . That way the publisher can retain autonomy / control , while still developing trust with the consumer.
We could do better in our trade at encouraging best practices in this space. Every time there's a breach , the community shames the publisher . But the real shame is on us for not establishing better auditing protocols. Security best practices are just the start. You have to have transparent, ongoing auditing and pen-testing to sustain it.
idkfasayer
[dead]
anonzzzies
Outsourcing job was it? Modern programmers are literally terrible at all basic stuff (who stores ID images in the db and then in the clear, do you have many other mental issues or what?) (I see startups like Resend making the same mistakes and still people use them, so there isn't much punishment even from people with half a brain) and AI is going to make it all so much worse. And a public bucket. I think it should be criminally liable to be that sloppy.
juandsc
I don't think it's a modern programmers problem, in fact, I think we can argue we are much better than 20 years ago at least in terms of security.
There is a much higher concern for data validation and no one used HTTPS 20 years ago. Literally there were social networks with people uploading photos and personal stuff which didn't even have HTTPS.
anonzzzies
But that was because no one told them. Now they are told and taught. A lot of systems Warn even for opening something publicly... And yet.
I check all CVE's of the software my clients use because we need to figure out why things are broken and often this is a start -> unpatched CVE's. Most (by far) CVE's are not 'honest mistakes' or missed corner cases because rocket-science; they are just sloppy programming. Something that should never pass review. We DO know better but people ship things and hope for the best (including the case in this post etc).
1970-01-01
"Breached"
1st sentence: "exposed database"
We need a more nuanced headline here. They did nothing responsible. 404 should title this story with something that will blame them first and the 'hackers' 2nd.
ch_fr
Yeah, the term "breached" was a very poor choice, because it sounds like "this was breached recently" instead of telling "the database could be seen by anyone ever since the app's conception, and it only came to light today" which has much worse implications.
zahlman
My general observation thus far has been that submissions from 404media are rarely anything that I'd consider quality content for HN.
prophesi
I wouldn't go that far. What they uncover with their FOIA requests that the general public would otherwise never know about tends to be quality content. And, like the Wired, their FOIA-based articles aren't paywalled.
nis0s
How is this user data even reliable or useful when someone can make fake personas and populate their activity with LLMs?
Drivers licenses can be faked. Moreover, someone can just pretend to be someone else on this app with real drivers licenses.
The whole premise, implementation and process of Tea as a social media app is flawed, and a legal liability for the devs.
tamimio
I hope it served as a good lesson to the average person to be more cautious while submitting sensitive information like a government ID. Just because it's an app with a nice UI doesn't mean it's secure, let alone trustworthy regarding who owns it. Last week I was contacting a government agency here in Canada and the support team requested a government ID to be shared over email, which is anything but a secure communication. I tried to share it as a link to my vault, but they refused, so now either I will have to go in person or they will find another way in the meantime.
The internet went from 'YouTube asking users to never use your real name' to 'you have to submit your ID to some random app' in 10 years. Crazy!
xtracto
CEOs and board members should be personally criminally liable for shared personal information coming out of their platforms.
It's the only way they will push companies to STOP storing them long term.
I've been in several companies (mostly FinTech) that store personal sensitive documents "just in case". They should be used for whatever is needed and deleted. But lazy compliance and operations VPs would push to keep them... or worse, the marketing people
ronsor
To be fair to the FinTech companies and their leadership, banking and finance laws are so draconian to the point where you'd rather store (and risk leaking) sensitive data than face even bigger fines from the government overlords. If you want that to stop, get rid of the PATRIOT Act and reform the KYC insanity.
ethagnawl
> I hope it served as a good lesson to the average person to be more cautious while submitting sensitive information like a government ID.
This absolutely should not be normalized. If I'm ever prompted to submit photos of a government ID to some service, I'm turning heel. I'll try to use their phone service (which I just did successfully this week), correspond via mail or maybe, as you've said, handle it in person but I'm probably content to go without.
SoftTalker
The sad part is that your government ID is about as likely to be leaked by the government agency itself than it is by any third party that has an scan of it.
My driver's license is scanned every time I buy beer. I'm under no illusions that it's not quite readily available in any number of leaks or disclosures.
If that sounds defeatist, maybe it is. Nothing online is private. Once it's in a database, it's only a matter of time before it's exposed. History has proven this again and again.
gitremote
You need to do this for background checks for employment, even though the employees for the background check service might be outsourced to a different country, and your government data had no protections in their jurisdiction.
wosined
I always do. I would have never made social media accounts if it required phone or ID. Thankfully I'm old so my accounts were made before normies flooded the net and started trusting everything.
hdgvhicv
Every hotel and his dog takes a copy of my passport, it’s basically public domain.
dabockster
> The internet went from 'YouTube asking users to never use your real name' to 'you have to submit your ID to some random app' in 10 years. Crazy!
Because we couldn't get anyone to take the internet seriously if it was just a bunch of anonymous pseudonyms trolling each other. And maybe that was a mistake.
hdgvhicv
When I started on the internet it was common to use real name, and indeed include things like addresses and phone numbers in usenet .sigs
lupusreal
It was definitely a mistake. The internet was not meant to be taken seriously. Measures like real name policies are designed to make people take it seriously but that is to the detriment of the users who do.
Just look at Facebook. Users with real names sharing all kinds of inane schizo nonsense, extremism, building echo chambers without realizing it, becoming completely divorced from reality as perceived by the majority of people around them in meatspace, because they section themselves off in cyberspace.
null
chatmasta
On the rare occasion when I have to do this, I blur the maximum amount of the image and watermark it with hundreds of lines of small red font saying “FOR EMPLOYMENT VERIFICATION BY $X_ENTITY.”
If they have a problem with it then I will gradually remove pieces until they’re okay. But I haven’t had to do this the few times I’ve used this tactic – it causes issues with automated scans but eventually some human manually reviews it and says it’s okay.
What I don’t like is the “live verification” apps that leave me no choice but to take a photo of it.
gruez
>What I don’t like is the “live verification” apps that leave me no choice but to take a photo of it.
That's becoming the norm now, presumably because of concern that people are taking leaked scans from one site, and using it to commit identify fraud (eg. getting KYC scans from crypto exchanges and using it to apply for accounts at other crypto changes, for money laundering purposes).
10000truths
You can use OBS to overlay your watermark on your webcam feed, then expose the composited output as a virtual camera that you select in the browser.
codedokode
You have a choice of not using such apps.
koakuma-chan
You can send it as an encrypted PDF, fwiw
add-sub-mul-div
If my license gets leaked and then a stalker shows up at my house, I will simply turn them away on the grounds that it was illogical to assume the license wasnt faked.
carabiner
> Drivers licenses can be faked. Moreover, someone can just pretend to be someone else on this app with real drivers licenses.
These are actually still very hard to do. I don't know anyone who would let me use their license for this purpose.
fake-acc-420
[flagged]
chuckadams
I don't disagree, but there are most certainly other perpetrators of identity theft out there. Not sure any of them would bother using it to sign up for something as niche and unprofitable as an account on Tea.
furgot
It's concern trolling, they don't sincerely believe it, they're trying to make the people they don't like stupid.
kashnote
I'm a firm believer that if you want to start a tech company, at least one of the founders has to have a technical background. Even if you outsource all the work, you need to be able to ask the right questions related to security.
It's not just that this database was accessible via the internet. It was all public data. Storing people's IDs in a public database is just... wow.
alibarber
But now we have amazing vibe coding tools that mean that you don’t need to be technical or whatever - you can just deliver results. After all, the best LinkedIn influencers and founders don’t care about how something is delivered, just what.
Yeah, we’ve finally, nearly, just got to the point where realizing that treating IT and security and such as simply a cost centre to be minimised maybe quite wasn’t leading to optimal security outcomes - to throwing it all away again.
TechDebtDevin
Isnt there like millions of misconfigured firebase dbs in the wild with no auth, some including fortune 500 companies?
https://www.bleepingcomputer.com/news/security/misconfigured...
kenjackson
Tech background isn’t sufficient. They need to have security background. Some of the worst people I’ve met with respect to security have been technical enough to have the wrong level of confidence.
TZubiri
Doctors need to study 5 to 8 years and pass rigorous exams Attorneys the same Structural architects and engineers the same
We have a couple of decades more until we lock tech up, up until now it was all fun and games, but now and in the future tech will be everywhere and will be load bearing
justahuman74
By then we'll just launder the blame onto the AIs
Pigalowda
Tech is special! Think about the margins, the gains, the $$$!
I bet on greed. It always wins.
null
robotnikman
With all the state/countries starting to do ID verification, this is a good lesson in what can go horribly wrong with these types of policies.
throwacct
This x100.
testing321123
[dead]
Also: https://www.reddit.com/r/4chan/comments/1m8z2w4/4chan_the_ha...
https://www.cnet.com/tech/services-and-software/tea-app-brea...