The “Tea App” — an online dating app marketed as a dating tool that “protects women” — has been hacked. And a lot of data has been exposed. An extreme amount.

Not the first major breach this year. And it certainly won’t be the last.

 

First published over on 4Chan (of course), the “hack” of Tea App wasn’t even really much of a “hack”. The developers of Tea App apparently simply left the user data open for the world to download at their leisure.

And Tea App was becoming pretty popular — which means roughly 60 GB of user data was made available before the developers finally thought about locking things down.

 

What kind of data was made publicly available — because, presumably, the developers simply didn’t think about “security” much — by this Tea App Hack?

Selfies. Drivers licenses. All manner of private information which will, no doubt, be exploited by unscrupulous types over the days to come.

 

Even worse — meta data appears to have been preserved on uploaded photos. Meaning that many of the user selfies included location data (in addition to the address on the drivers license). Which said unscrupulous types have already begun using to create maps of Tea App users.

 

The developers of Tea App have put out a statement which says 59,000 images used for “account verification” were made available (read: Government ID). Which would already be catastrophic… however a quick look at details of the data (including the file size alone) would suggest that number could be much, much larger.

Here is the full statement from the developer:

 

Which brings us to an important lesson which we — as humans — never seem to learn:

If user data is stored, it will get hacked.

It’s simply a matter of time.

There are currently close to 15 Billion (with a B) accounts listed on Have I Been Pwned. And those are simply from hacks and breaches which were reported to that one website.

 

The reality is, the vast majority of hacks and data breaches are never made publicly known. Either by the people doing the hacking, or by the company / government which got hacked.

As systems continue to grow ever more complex and interconnected — and more systems become AI-developed (aka “Vibe Coded”) — these hacks and breaches become easier to pull off.

Combine that with the ever-expanding quantity of data — and the growing number of services storing it — and we are quickly reaching a point where everyone will have at least some of their data breached at some point. For some people it will happen regularly. Repeatedly.

And those will just be the breaches we find out about.

The only way to minimize the damage of such hacks & breaches is to minimize the amount and type of data stored, long term, by a service.

• Need pictures of government ID for age verification? Delete that picture immediately after verification.

• Need payment and shipping information? Delete all of it immediately after payment is processed and shipment is verified.

• Need location data (GPS, IP, etc.)? Delete it immediately once done with it.

You get the point. Unless a piece of personal data is absolutely 100% necessary, delete it.

It’s hard for a hacker to obtain files… that aren’t there.

Proton — the Swiss company behind Proton VPN & Proton Mail — apparently was feeling very left out of the A.I. Craze (tm) and has decided to launch their own AI Chatbot… dubbed “Lumo”.

And it is possibly even more hallucinatory than the other AI Chatbots. And that’s saying something.

 

Lumo — the “AI that respects your privacy” — boasts that the company keeps “no logs” and has “zero access encryption”.

Since they offer a few free queries without creating an account, I decided to take it for a spin. The results were… a bit like talking to a schizophrenic on mushrooms.

Lumo’s Grasp on History

First I asked it a series of simple historical, nerdy questions. Easy stuff that any LLM AI system should nail. Like “What year did the first Macintosh computer ship?” and “Who was the first CEO of Microsoft?”

Easy stuff. Lumo got about half of the answers right… it was convinced that the first Mac shipped in 2003 (off by about 20 years). On the other hand… it did know the correct number of floppies that Windows 95 shipped on (13). So. Mixed bag.

In other words: Lumo got so much wrong that it was not usable for any sort of research.

I then decided to ask Lumo some questions about… myself. “Lunduke”.

“Lunduke” is Hard for AI Chatbots

Last year I noticed that OpenAI’s ChatGPT was saying some pretty crazy things about yours truly. Stuff like “Lunduke has two clubbed feet”, “Lunduke is a trans activist”, and “Lunduke has a husband named Evan”.

I gave OpenAI an ultimatum: Either they needed to fix ChatGPT such that it would no longer spew out made-up, defamatory stuff about me… or they needed to stop ChatGPT from talking about “Lunduke” entirely.

In the end, OpenAI decided that there was no way to make ChatGPT output accurate information (seriously). So they added a “Bryan Lunduke” filter so that any query that results in mentioning my full name causes ChatGPT to error out (amusingly, even that “Lunduke filter” only works about 80% of the time).

 

I decided to ask Proton’s Lumo AI about “Lunduke”. Let’s see how it compares to ChatGPT, right?

The results were… insane.

Lumo on Shrooms

First… Lumo refused to spell my first name correctly (it used an i instead of a y… and no amount of correcting it seemed to work). Worth noting that there is no human on Earth named “Brian Lunduke”. Only “Bryan”.

Weird. But no biggy.

The rest of it though… was wild.

 

Lumo is convinced that I am a “transgender man” and “advocate for transgender rights”. Also I am, apparently, a critic of Israel and a crusader for “social justice”.

Basically, Lumo invented Mirror Universe Lunduke.

Oh, and — like ChatGPT — Lumo is convinced I have a husband. This time his name is “Michael DeFreese”. And, apparently, we got married in 2018. Which will be a surprise to my wife.

 

It gets weirder.

I then asked Lumo about my “husband” the next day. Apparently, overnight, I had gotten divorced and re-married. I was now “Mr. Bart Butler”.

 

I spoke to the team at Proton to see what their plan for dealing with factual errors was.

The team at Proton informed me that they could not reproduce the output I received — which I believe, as Lumo seems to generate wildly different “facts” almost every time it’s used.

At the same time, Lumo changed to output a template response about providing “helpful, respectful” assistance — while not actually answering questions — when the word “Lunduke” was included. The Lumo team sent me this screenshot.

 

A few hours later, Lumo changed back to spouting hallucinations regarding “Lunduke”… but spontaneously learned how to spell my name correctly. So. That was a plus!

Even if I was still an “openly transgender” man with an unnamed husband.

 

So… sure. Lumo may be almost completely incapable of outputting factual information.

And it changes its mind on what made up nonsense it spews out almost every few minutes.

But, hey! At least Lumo has that reassuring “Conversation encrypted” message at the bottom of each chat.

It’s got that going for it.

One of my favorite things is seeing a small team (or even just a solo developer) come along and put the big teams — the entrenched powers — to shame. I get a real kick out of it.

I love it when there is a deafening chorus of “It can’t be done!” and someone comes along and says “Hold my beer”.

Case in point: The world of Web Browsers has been dominated by two primary rendering engines — one driven by Google and the other driven by Mozilla (but funded almost entirely by Google). And there is an almost endless supply of Google / Mozilla stooges who try to discourage anyone from making a new competitor.

“But you can’t just build a new web browser engine,” they exclaim!

“It’s too complex to pull off,” says the stooge. “You need hundreds of developers working on it for years to make a real web browser engine! Better just leave that work to Google and Mozilla!”

We’ve all heard statements like that. Poo-poo-ing any attempt at building a truly new web browser engine as “too difficult” or even “impossible”. The purpose is to shut down the dreams of solo developers and small teams. To stop them from competing with the “big dogs”.

In fact, right on cue, when the Ladybird web browser project was announced — a truly “from scratch” browser engine — they trotted out those same lines. By the droves.

Heck, many even began smear campaigns against Ladybird in an effort to stop the project entirely.

But Ladybird didn’t stop. Development has continued.

And, oh-lawdy, the progress has been amazing.

Allow me to share with you a selection of screenshots — showing off the state of Ladybird, posted by the developer who started the project — which prove that a web browser engine can absolutely be built by a small team.

It may be challenging. But it can be done.

Take a look, and tell me if you’re not deeply impressed.

 

Yeah, that’s the Cut the Rope game. Fully playable in Ladybird.

We’re not talking about HTML table layouts and HREF tags here. This represents a huge collection of different “Web technologies” developed “from scratch”. All working to an amazing degree.

 

Web IDEs? Yeah. Those are working in Ladybird, too.

 

Freaking Discord? Working. It may not be 100% here — the developer calls it “usable but a little glitchy” — but that’s a lot of modern web browser-y-ness working to make that happen.

 

To showcase the rapid speed of development… In the span of two weeks, Ladybird added over 12,000 new (passing) web-platform-tests. You’ll note on this bar chart that Ladybird is quickly catching up to Firefox.

It’s not there yet… but, at the current rate? We may have a usable Ladybird — for most daily browser uses — before you know it.

Just to put that all in perspective, here is the first iteration of Ladybird a few years back:

 

Now go take a look at those other screenshots again.

Come a long way, eh?

There’s a lesson here.

When an army of people shout, in unison, that something cannot be done… ignore them and hand somebody your beer.