Last month, we saw the massive data breach of the âTea Appâ â a smartphone app for women to talk about men they donât like â resulting in over 60 GB of personally identifiable data leaked out to the public. Stuff like selfies and pictures of drivers licenses.
Well, it didnât take long for a âTeaOnHerâ App to appear â with the same basic functionality, except this time for men to talk about women they donât like.

And, of course, the developer of âTeaOnHerâ made the same basic mistake that the âTea Appâ made: They permanently stored a ton of personal information. Including, once again, divers licenses.
You can already see where this is going.
Driverâs Licenses Everywhere
Almost as soon as the âTeaOnHerâ app went live, writers for TechCrunch went looking to see if they could easily access any of that data. Because wouldnât that be crazy if a copy-cat app made the exact same kind of security mistakes as the app it was copying?
What TechCrunch found was that it took no more than around 10 minutes for them to begin accessing pictures of drivers licenses of user accounts.

10 minutes!
With a bunch of the usual suspects of bad security being involved: unprotected file storage (in this case, Amazon), public API documentation, and a lack of secured API calls.
Now, unlike the âTea Appâ breach â which resulted in massive archives of personal data published all over the web â it isnât known if these vulnerabilities actually resulted in significant data archives getting out there in the wild.
But, as the writers at TechCrunch put it, âThe bugs were so easy to find that it would be sheer luck if nobody malicious found them before we did.â
Thereâs a Lesson Here⊠But it Wonât Be Learned
Sure, this âhackâ of the âTeaOnHerâ App was easy â as was the hack of the âTeaAppâ before it. Both of those systems were comically insecure.
But, the reality is, no complex online system is truly secure.
Have a website or App which stores (and publishes) user data? It can be hacked.
And, if there is sufficient interest in obtaining whatever data is being stored, not only can it be hacked⊠but it will be hacked.
The HaveIBeenPwned site, alone, has documented close to 15 Billion (with a B) accounts which have not only been breached⊠but reported and (often) made available in some way.

And that 15 Billion is only the breached accounts which we know about.
Anyone who works in IT can tell you that the vast majority of data breaches are never discovered. And the majority of those which are discovered⊠are never disclosed publicly.
Considering that the current population of the Earth is roughly 8 Billion, itâs safe to assume that every single adult on Earth, with an Internet connection, probably has several breached accounts already.
With the frequency, and size, of such data breaches increasing.
Should these Tea Apps have had better security? You bet your tuchus. From the looks of things neither developer spent any significant time trying to implement even the most basic security precautions.
For Peteâs sake, at least try to slow the hackers down a little.
But the real problem here is not the total lack of security â even âgoodâ security can (and will) be overcome.
No.
The real problem is the type of data being permanently stored, in an Internet accessible way, by these services. If a service is likely to be breached (and any significant service is), a key goal is to limit the amount of data which a hacker can gain access to.
Here are a few good rules of thumb when dealing with data being stored on an Internet accessible server:
Do not store any more data, at any given moment, than is 100% necessary.
If previously stored data is no longer needed, delete it. Completely. Not âflaggedâ for deletion. Actually deleted.
Whatever data you are storing should be encrypted whenever possible.
If sensitive personal data absolutely must be stored, for legal and regulatory reasons, consider physical archives stored in a secure location instead of an Internet connected server.
And, of course, donât use unprotected (or barely protected) âcloudâ file storage like the numbskull developers of these âTeaâ apps did. That never ends well.
Simple guidelines which, if followed, could significantly reduce the negative impact of inevitable data breaches.
But, of course, few online services â big or small â will follow such guidelines. They will continue expanding the quantity of data they store on increasingly complex systems.
Which means weâll see more and more data breaches â containing an ever increasing amount of personal data.
Welcome to the future.
The stupid, stupid future.