The “Tea App” — an online dating app marketed as a dating tool that “protects women” — has been hacked. And a lot of data has been exposed. An extreme amount.
Not the first major breach this year. And it certainly won’t be the last.
First published over on 4Chan (of course), the “hack” of Tea App wasn’t even really much of a “hack”. The developers of Tea App apparently simply left the user data open for the world to download at their leisure.
And Tea App was becoming pretty popular — which means roughly 60 GB of user data was made available before the developers finally thought about locking things down.
What kind of data was made publicly available — because, presumably, the developers simply didn’t think about “security” much — by this Tea App Hack?
Selfies. Drivers licenses. All manner of private information which will, no doubt, be exploited by unscrupulous types over the days to come.
Even worse — meta data appears to have been preserved on uploaded photos. Meaning that many of the user selfies included location data (in addition to the address on the drivers license). Which said unscrupulous types have already begun using to create maps of Tea App users.
The developers of Tea App have put out a statement which says 59,000 images used for “account verification” were made available (read: Government ID). Which would already be catastrophic… however a quick look at details of the data (including the file size alone) would suggest that number could be much, much larger.
Here is the full statement from the developer:
Which brings us to an important lesson which we — as humans — never seem to learn:
If user data is stored, it will get hacked.
It’s simply a matter of time.
There are currently close to 15 Billion (with a B) accounts listed on Have I Been Pwned. And those are simply from hacks and breaches which were reported to that one website.
The reality is, the vast majority of hacks and data breaches are never made publicly known. Either by the people doing the hacking, or by the company / government which got hacked.
As systems continue to grow ever more complex and interconnected — and more systems become AI-developed (aka “Vibe Coded”) — these hacks and breaches become easier to pull off.
Combine that with the ever-expanding quantity of data — and the growing number of services storing it — and we are quickly reaching a point where everyone will have at least some of their data breached at some point. For some people it will happen regularly. Repeatedly.
And those will just be the breaches we find out about.
The only way to minimize the damage of such hacks & breaches is to minimize the amount and type of data stored, long term, by a service.
Need pictures of government ID for age verification? Delete that picture immediately after verification.
Need payment and shipping information? Delete all of it immediately after payment is processed and shipment is verified.
Need location data (GPS, IP, etc.)? Delete it immediately once done with it.
You get the point. Unless a piece of personal data is absolutely 100% necessary, delete it.
It’s hard for a hacker to obtain files… that aren’t there.
