633
Women Dating Safety App 'Tea' Breached, Users' IDs Posted to 4chan (www.404media.co)
submitted 1 week ago by bytesonbike@discuss.online to c/technology@lemmy.world
191 comments fedilink hide all child comments

Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.

top 50 comments
sorted by: hot top controversial new old
[-] JackbyDev@programming.dev 98 points 6 days ago

I can't open the article, but I think I read that this was hosted on an unprotected bucket. Assuming that's correct I wouldn't say this was a breach. A better headline would be "Women dating safety app 'Tea' exposed women's PII".

To be 100% clear, I'm not excusing the hackers. I don't believe it's morally correct to publicize something because it is exposed. For folks curious about that you can look into how to ethically disclose vulnerabilities. I still view this as doxxing. I still believe what the hackers did should be a criminal offense, it's just that I also believe the app holds a ton of the blame as well. How can you proclaim to be about keeping women safe while putting them at risk? That should be punished as well.

Like if the storage facility you trusted to hold your stuff never had locks on the doors, shouldn't they take a lot of the blame as well as the thief who found out a door was unlocked?

[-] hopesdead@startrek.website 43 points 6 days ago

The bigger problem is trying to get the mainstream that would read an article like that to understand the technical difference between hacking and accessing unsecured data.

[-] JackbyDev@programming.dev 27 points 6 days ago

One of the definitions of hacking is illegally gaining access to a computer system. It doesn't need to involve any sort of exploit. Stealing from an unlocked home is still stealing. Gaining access to a system by phishing is still hacking. Leaking data that is technically publicly accessible that isn't meant to be publicly accessible is still hacking.

Not that I suspect anything good from 4chan but the proper thing to do would be to disclose to Tea that their data is public and allow them to fix the problem. The ethics of vulnerability disclosure still apply when the vulnerability is "hey you literally didn't secure this at all."

[-] Brickhead92@lemmy.world 8 points 6 days ago

This reminded me of an anecdote from maybe 6 years ago. I was setting up and testing a small network and a couple devices to install for a customer, let's say the subnet was 192.168.2.0/24.

Weird things were happening, I was being lazy and wasn't directly connected to the network, may have setup a VPN between devices somewhere; can't really remember. But pings would sometimes drop or blow out to 100's ms.

I eventually ended up disconnecting that network entirely, then the pings continued and got more stable?? WTF! I need we didn't have that subnet in use, even checked before setting it up. In the time between checking and the issues happening, someone in Sydney somewhere had stuffed up on their router and exposed there LAN to the internet without any Firewalls, just available.

Scanned and found all the IPs in use and in them found a printer. Connected to it and printed a page saying I'm from company XYZ and found all these devices available, and to either contact their IT and resolve it ASAP or my company to help. About an hour later it seemed to be resolved.

It was an interesting day.

[-] phx@lemmy.ca 13 points 6 days ago

Uh... you can't just "expose a LAN network to the Internet" in this manner. Local subnets aren't routable over the Internet, so you can't just enter 192.168.2.3 and end up on somebody else's private LAN.

https://www.geeksforgeeks.org/computer-networks/non-routable-address-space/

They would have needed to either have all their internal devices being assigned public IP's or had NAT+firewall rules explicitly routing ports from their outside address(es) to the inside ones. The former is unlikely as normally ISPs don't allocate that many to a given client, or at least not by DHCP. the latter would require a specific configuration mapping the outside addresses/ports to inside devices, likely on a per device+port basis.

Either your story is missing key details or you've misunderstood/made-up something.

load more comments (1 replies)
load more comments (1 replies)
load more comments (2 replies)
load more comments (2 replies)
load more comments (2 replies)
[-] Zephorah@discuss.online 44 points 6 days ago

Reading these incredible comments has revealed a large piece of what was named as the reason for lemm.ee shutting down.

load more comments (2 replies)
[-] BackgrndNoize@lemmy.world 44 points 6 days ago

This is why there should be a nationwide rule that PII data should be deleted after the users identity has been verified

[-] mang0@lemmy.zip 5 points 6 days ago

Truly impressive how little america cares about its citizens.

load more comments (1 replies)
load more comments (1 replies)
[-] UncleGrandPa@lemmy.world 31 points 6 days ago

What are the chances of this being the main reason for the app's existence?

[-] Hozerkiller@lemmy.ca 33 points 6 days ago

Seeing as the word hack is doing a lot of heavy lifting. They didn't bother to actually secure the data and then put it on the internet for anyone to access.

[-] simplejack@lemmy.world 25 points 6 days ago

Hungry data privacy lawyers when they learned about Tea this week:

[-] VinnyDaCat@lemmy.world 15 points 6 days ago

I don't quite understand the outrage in the thread. I've been looking through the comments, trying to see if this ever went beyond gossip and I can't find anything.

From my understanding the app was intended to be a safe space for women to discuss dating. Relaying information about dangerous individuals, or people who cheat. I can imagine that things might have gotten slightly out of hand in regards to anonymous gossip, but is that anything compared to being doxxed? Besides, women, and men have been gossiping behind each others backs for as long as humans have existed. An anonymous app makes it significantly worse certainly, but it is what it is. This behavior is always going to exist for better or for worse. For example, people already discuss this on sites like fetlife since the risk of ending up with someone who wants to batter you for the sake of battering you is somewhat high there.

Surely we can have some sympathy for people who have had their identifications doxxed by 4chan who haven't done anything worse than a bit of toxic gossip at most?

[-] rozodru@lemmy.world 21 points 6 days ago

you're right as far it's intentions go. I honestly couldn't give a rats ass about what it intended to do what I have a MASSIVE issue with is that it did the EXACT opposite of what it "intended to do."

It didn't provide Women with a "safe space" because women's government issued IDs and their personal selfies were, quite literally, OUT IN THE OPEN. It opened Women who used the app to way more harm.

Their database, and i'm being extremely generous when I call it that, wasn't even password protected. not even a simple plain text password like "password123" there was NO password. at all. period. All I would have had to do was simply see where the app sent the scanned ID's, open a terminal, SSH into it WITHOUT A PASSWORD OR KEY, and then I now have access to the IDs of over 13,000 Women. Hell I probably wouldn't have even had to SSH into it, probably could have opened the damn thing from a web browser.

So when the media is saying 4chan "leaked" this stuff again they're being generous. It's like if you were walking down the street that Tea lived on and you noticed they left their door wide open so you decided to peak your head inside and while peaking your head in you noticed a box right by the door that had thousands of IDs in it so you picked up the box and walked out. Chances are other people got to this box before 4chan did, many people probably did, it's just that 4chan were the only ones to say "Hey I found this house with a wide open door and decided to pick up this box with all these IDs in it, neat huh?"

load more comments (5 replies)
[-] Clbull@lemmy.world 6 points 5 days ago* (last edited 5 days ago)

Tea is the offshoot of all those "Are We Dating The Same Guy" Facebook groups where ladies gossip, talk shit, slander and creep-shame guys they went on dates with, sometimes throwing around false accusations maliciously to get men ostracized.

On one hand, damn these groups are toxic as fuck and that makes me feel a lot less sympathetic. But on the other hand, this is a textbook argument for why mandatory age verification laws need to be abolished. AWDTSG works as a way to keep women safe when it's used as intended but there are too many women that will slander men with false allegations purely out of spite.

[-] forrgott@lemmy.sdf.org 6 points 5 days ago

Right, because only women are the problem, and men are paragons of virtue.

Fuck off

[-] Electricd@lemmybefree.net 5 points 5 days ago* (last edited 5 days ago)

Right because the comment obviously said that no man did bad things and it was ALL women fault

Fuck off with your straw man

load more comments (1 replies)
load more comments (1 replies)
[-] thatradomguy@lemmy.world 6 points 5 days ago* (last edited 5 days ago)

Another example of why people shouldn't be uploading/sharing nudes on any platform when the pretense is that it will only be between 2 people. That just isn't realistic anymore. Never was, really. I still don't get how people can hear and know about all the hacks happening now but they can't see that sending nudes is somehow unsafe? Why does society work this way?

[-] Electricd@lemmybefree.net 6 points 5 days ago

Send nudes on Signal!

load more comments (1 replies)
[-] M0oP0o@mander.xyz 6 points 5 days ago

One would have hoped the lesson here would be about the dangers of commoditfiying everything as a fucking "app", but no, it looks like its not the increadably irresponsible company at fault (as is tradition).

load more comments
view more: next ›
this post was submitted on 25 Jul 2025
633 points (100.0% liked)

Technology

73495 readers
3155 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws