The “Tea App” — an online dating app marketed as a dating tool that “protects women” — has been hacked. And a lot of data has been exposed. An extreme amount.

Not the first major breach this year. And it certainly won’t be the last.

 

First published over on 4Chan (of course), the “hack” of Tea App wasn’t even really much of a “hack”. The developers of Tea App apparently simply left the user data open for the world to download at their leisure.

And Tea App was becoming pretty popular — which means roughly 60 GB of user data was made available before the developers finally thought about locking things down.

 

What kind of data was made publicly available — because, presumably, the developers simply didn’t think about “security” much — by this Tea App Hack?

Selfies. Drivers licenses. All manner of private information which will, no doubt, be exploited by unscrupulous types over the days to come.

 

Even worse — meta data appears to have been preserved on uploaded photos. Meaning that many of the user selfies included location data (in addition to the address on the drivers license). Which said unscrupulous types have already begun using to create maps of Tea App users.

 

The developers of Tea App have put out a statement which says 59,000 images used for “account verification” were made available (read: Government ID). Which would already be catastrophic… however a quick look at details of the data (including the file size alone) would suggest that number could be much, much larger.

Here is the full statement from the developer:

 

Which brings us to an important lesson which we — as humans — never seem to learn:

If user data is stored, it will get hacked.

It’s simply a matter of time.

There are currently close to 15 Billion (with a B) accounts listed on Have I Been Pwned. And those are simply from hacks and breaches which were reported to that one website.

 

The reality is, the vast majority of hacks and data breaches are never made publicly known. Either by the people doing the hacking, or by the company / government which got hacked.

As systems continue to grow ever more complex and interconnected — and more systems become AI-developed (aka “Vibe Coded”) — these hacks and breaches become easier to pull off.

Combine that with the ever-expanding quantity of data — and the growing number of services storing it — and we are quickly reaching a point where everyone will have at least some of their data breached at some point. For some people it will happen regularly. Repeatedly.

And those will just be the breaches we find out about.

The only way to minimize the damage of such hacks & breaches is to minimize the amount and type of data stored, long term, by a service.

• Need pictures of government ID for age verification? Delete that picture immediately after verification.

• Need payment and shipping information? Delete all of it immediately after payment is processed and shipment is verified.

• Need location data (GPS, IP, etc.)? Delete it immediately once done with it.

You get the point. Unless a piece of personal data is absolutely 100% necessary, delete it.

It’s hard for a hacker to obtain files… that aren’t there.

Proton — the Swiss company behind Proton VPN & Proton Mail — apparently was feeling very left out of the A.I. Craze (tm) and has decided to launch their own AI Chatbot… dubbed “Lumo”.

And it is possibly even more hallucinatory than the other AI Chatbots. And that’s saying something.

 

Lumo — the “AI that respects your privacy” — boasts that the company keeps “no logs” and has “zero access encryption”.

Since they offer a few free queries without creating an account, I decided to take it for a spin. The results were… a bit like talking to a schizophrenic on mushrooms.

Lumo’s Grasp on History

First I asked it a series of simple historical, nerdy questions. Easy stuff that any LLM AI system should nail. Like “What year did the first Macintosh computer ship?” and “Who was the first CEO of Microsoft?”

Easy stuff. Lumo got about half of the answers right… it was convinced that the first Mac shipped in 2003 (off by about 20 years). On the other hand… it did know the correct number of floppies that Windows 95 shipped on (13). So. Mixed bag.

In other words: Lumo got so much wrong that it was not usable for any sort of research.

I then decided to ask Lumo some questions about… myself. “Lunduke”.

“Lunduke” is Hard for AI Chatbots

Last year I noticed that OpenAI’s ChatGPT was saying some pretty crazy things about yours truly. Stuff like “Lunduke has two clubbed feet”, “Lunduke is a trans activist”, and “Lunduke has a husband named Evan”.

I gave OpenAI an ultimatum: Either they needed to fix ChatGPT such that it would no longer spew out made-up, defamatory stuff about me… or they needed to stop ChatGPT from talking about “Lunduke” entirely.

In the end, OpenAI decided that there was no way to make ChatGPT output accurate information (seriously). So they added a “Bryan Lunduke” filter so that any query that results in mentioning my full name causes ChatGPT to error out (amusingly, even that “Lunduke filter” only works about 80% of the time).

 

I decided to ask Proton’s Lumo AI about “Lunduke”. Let’s see how it compares to ChatGPT, right?

The results were… insane.

Lumo on Shrooms

First… Lumo refused to spell my first name correctly (it used an i instead of a y… and no amount of correcting it seemed to work). Worth noting that there is no human on Earth named “Brian Lunduke”. Only “Bryan”.

Weird. But no biggy.

The rest of it though… was wild.

 

Lumo is convinced that I am a “transgender man” and “advocate for transgender rights”. Also I am, apparently, a critic of Israel and a crusader for “social justice”.

Basically, Lumo invented Mirror Universe Lunduke.

Oh, and — like ChatGPT — Lumo is convinced I have a husband. This time his name is “Michael DeFreese”. And, apparently, we got married in 2018. Which will be a surprise to my wife.

 

It gets weirder.

I then asked Lumo about my “husband” the next day. Apparently, overnight, I had gotten divorced and re-married. I was now “Mr. Bart Butler”.

 

I spoke to the team at Proton to see what their plan for dealing with factual errors was.

The team at Proton informed me that they could not reproduce the output I received — which I believe, as Lumo seems to generate wildly different “facts” almost every time it’s used.

At the same time, Lumo changed to output a template response about providing “helpful, respectful” assistance — while not actually answering questions — when the word “Lunduke” was included. The Lumo team sent me this screenshot.

 

A few hours later, Lumo changed back to spouting hallucinations regarding “Lunduke”… but spontaneously learned how to spell my name correctly. So. That was a plus!

Even if I was still an “openly transgender” man with an unnamed husband.

 

So… sure. Lumo may be almost completely incapable of outputting factual information.

And it changes its mind on what made up nonsense it spews out almost every few minutes.

But, hey! At least Lumo has that reassuring “Conversation encrypted” message at the bottom of each chat.

It’s got that going for it.

I’m going to make an observation that is likely to get me tarred and feathered. But, before you reach for your handy-dandy pitchfork, hear me out.

Age and identity verification requirements for accessing websites is a necessity… it should be expanded to most (if not all) of the Internet.

The reason is simple: Identity verification is the only possible solution to the army of AI driven bots currently infesting the Internet. Want to stop the Dead Internet Theory? This is the only way.

The Problems With Identity Verification

I want to make something very clear: Online age and ID verification has a number of problems. Very, very real problems that every single person is right to be concerned about.

• What verification data will be collected and stored (and how)?

• What additional security concerns are created because of ID verification?

• Will the burden of that verification be too much for some sites to handle?

• How will those verification systems be abused by corporations and governments?

And those are just off the top of my head.

Some of the issues are straight forward engineering issues. Some are downright daunting.

Regardless, those 4 bullet points alone are enough to make most people recoil in horror at the mere thought of ID verification becoming mandatory.

But mandatory it has become — at least for a small portion of (adult focused) websites in a number of locales. In several states in the USA, adult websites (and, soon, some social media sites) are now requiring age verification.

And, in the United Kingdom, the Online Safety Act is taking effect. Resulting in a massive spike in VPN usage as people work around age verification on adult-only websites.

 

There’s a pretty clear takeaway here. Some people really like being anonymous. Especially when doing “naughty” things.

In short: There are real concerns with online ID verification, and many people don’t like it.

Which brings us to The Dead Internet Theory… and how ID verification may be the only solution.

The Plague of The Dead Internet

The Dead Internet Theory is simple:

“The Internet is now predominantly bot traffic, with humans being the minority.”

As of last year, this theory has been confirmed just about every way you can confirm it. The most recent Bad Bot Reportshows that actual humans make up only 49% of global Internet traffic.

 

Social Media platforms, like X, are filled with AI-driven bot farms. So much so that it is making it increasingly difficult to determine true public sentiment on any given issue — as the bots flood topics and threads in order to push specific narratives.

Want to have a conversation with other humans? Good luck.

And Meta is intentionally filling Facebook timelines with bots. As a business strategy.

Make no mistake, these bots are destroying the value of the Internet. Making it less usable and less worthwhile by the day.

The plague of the Dead Internet is devouring the Net like a swarm of programmatically generated, GPU accelerated locusts.

And those locusts are multiplying much faster than we are.

Stopping this plague — killing off those bots — is, at present, a seemingly insurmountable task. No “bot detection” algorithm will ever be good enough — just ask developers of Massively Multiplayer Online games about how difficult it is to stop bots (even in a well confined and controlled setting).

As long as most websites require no more than a simple email address to create a new account… the bots will continue. The bots will thrive.

The Solution is a Bitter Pill

The solution to the Dead Internet is obvious… but unappetizing.

In order to stop the bots — and reclaim the Internet for humans — we must require verification of humanity in order to use the Internet.

How do we do that?

Obviously simple “captchas” don’t do the trick.

• “Type these funny looking letters!”

• “Click every box that has a motorcycle!”

Bots can figure those out without breaking a sweat (I, on the other hand, have a hard time with them).

And, like we already discussed, bot detection algorithms simply do not work — at least not for more than a few hours before the bots get improved to work around the algorithm.

The only real solution is identity verification.

Exactly the type of ID & age verification that is happening right now in some US states and the UK. Except that, in order for this to truly work, websites must take it to the extreme.

To ensure that a website isn’t flooded with bots (like what we see on YouTube, X, etc.) that website must require ID verification… for absolutely everyone who uses it. Not simply for a handful of states. For everyone. No exceptions.

Want your views to count? Want to post, comment, or like? You need to get your ID verified first.

I know. Most of us hate that idea. And for good reason. It feels like a horrific step down a dark road into a dystopian future.

But it’s the only viable solution to the Dead Internet.

Which means we are left with two choices for any given website:

1. Be able to use it anonymously… but most of the content is driven by AI and bots (including other commenters, publishers, etc.)… to the point where any interaction you have is increasingly unlikely to be a real human. And any count of “views”, “likes”, “followers”, “comments”, etc. is utterly meaningless. The bots will dominate all.

2. ID verification required. With very few bots. Views, likes, etc. will all be real (or at least more real). The people you talk to will be human.

I recognize that most of us will look at both of those options with some level of disgust. But this is the reality we live in. Those are our options if we want this “Internet” thing to continue.

My personal opinion is that sites like X, YouTube, etc. should implement mandatory ID verification.

I don’t like it… but the alternative is that, very soon, those sites will be all but useless as the locusts take over.