A 4chan hacker infiltrated the app 'Tea,' where women anonymously post photos of men and gossip about them, leaking 72,000 images, including 13,000 selfies for authentication, causing a huge uproar.
Photos of women were leaked from the app 'Tea,' which was popular among women as a place to exchange information about men. It is said that the files stored by Tea were not encrypted at all, and users' personal information was completely visible.
Women Dating Safety App 'Tea' Breached, Users' IDs Posted to 4chan
https://www.404media.co/women-dating-safety-app-tea-breached-users-ids-posted-to-4chan/
Tea app hacked: 13,000 photos leaked after 4chan call to action
https://www.nbcnews.com/tech/social-media/tea-app-hacked-13000-photos-leaked-4chan-call-action-rcna221139
Tea was a dating app for women, where users could post photos and names of men, discuss them with each other, and label men as 'green light' or 'red light.' It was billed as a 'dating advice app,' and was so popular that it briefly reached number one in the free app rankings on the US App Store.
Tea has become the #1 free app on the US App Store
— Dexerto (@Dexerto) July 23, 2025
The women-only dating advice app lets users anonymously share red flags, swap info, and get feedback about men pic.twitter.com/p6eCtFJbK9
When registering for an account, Tea users must upload a photo of themselves and their ID to prove they are female. The ID and selfie data was discovered by a user on the anonymous message board 4chan, and the link was made public.
According to Tea, which acknowledged the data leak, selfie data and other data are normally deleted after review, but data submitted at certain times was stored in a database to comply with the requirements of anti-cyberbullying laws.
However, this database was not even encrypted and was literally open to anyone to view.
Software engineer Austin Allred said, 'Tea's data was on a publicly accessible URL, and it was simply accessed normally, not a 'hack.'' He added, 'When you set a database that is normally blocked from viewing to public, you would receive multiple warnings. It's possible that an insider received warnings and still set it to public.
To have this little security you would have to actually fight the default platform behavior.
— Austen Allred (@Austen) July 25, 2025
By default Firebase buckets are 'locked.' You'd have to very intentionally set it to public.
And it will scream at you and warn endlessly when you try to do so.
The day before the data leak, a thread was posted on 4chan, and a 'hack and leak' campaign to find information about Tea's users was launched. The next day, a URL claiming to be able to download the images was posted, and a large number of photos of people allegedly using Tea were posted on 4chan and X.
The amount of data temporarily reached 59.3GB. The original thread was deleted by a moderator.
The Tea app has been hacked, and you can go download 59.3 gigabytes of user selfies right now.
— Crémieux (@cremieuxrecueil) July 25, 2025
The hack is real. A picture from someone I know who signed up just to see what was on there was in it.
This was an obviously vibe-coded app and was bound to be insecure. pic.twitter.com/yrUxW1cFZc
In connection with this case, a service that rates tea users and data mapping the addresses of tea users were made public.
they done a map of all the Tea App users ???????? pic.twitter.com/7VZozLjptm
— moonlight (@GEKKITO) July 25, 2025
Tea said, 'The compromised system contains approximately 72,000 photos submitted by users, including approximately 13,000 IDs and selfies submitted for user authentication. If you signed up for Tea after February 2024, all your data is safe. We acted swiftly and are working with the most trusted cybersecurity experts.'
Continued
Message contents leaked from men's shopping app 'Tea' - GIGAZINE
Related Posts:
in Web Service, Posted by log1p_kr