545
Women Dating Safety App 'Tea' Breached, Users' IDs Posted to 4chan (www.404media.co)
submitted 2 days ago by [email protected] to c/[email protected]
140 comments fedilink hide all child comments

Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.

top 50 comments
sorted by: hot top new old
[-] [email protected] 44 points 1 day ago

I can't open the article, but I think I read that this was hosted on an unprotected bucket. Assuming that's correct I wouldn't say this was a breach. A better headline would be "Women dating safety app 'Tea' exposed women's PII".

To be 100% clear, I'm not excusing the hackers. I don't believe it's morally correct to publicize something because it is exposed. For folks curious about that you can look into how to ethically disclose vulnerabilities. I still view this as doxxing. I still believe what the hackers did should be a criminal offense, it's just that I also believe the app holds a ton of the blame as well. How can you proclaim to be about keeping women safe while putting them at risk? That should be punished as well.

Like if the storage facility you trusted to hold your stuff never had locks on the doors, shouldn't they take a lot of the blame as well as the thief who found out a door was unlocked?

[-] [email protected] 15 points 1 day ago

The bigger problem is trying to get the mainstream that would read an article like that to understand the technical difference between hacking and accessing unsecured data.

[-] [email protected] 16 points 1 day ago

One of the definitions of hacking is illegally gaining access to a computer system. It doesn't need to involve any sort of exploit. Stealing from an unlocked home is still stealing. Gaining access to a system by phishing is still hacking. Leaking data that is technically publicly accessible that isn't meant to be publicly accessible is still hacking.

Not that I suspect anything good from 4chan but the proper thing to do would be to disclose to Tea that their data is public and allow them to fix the problem. The ethics of vulnerability disclosure still apply when the vulnerability is "hey you literally didn't secure this at all."

[-] [email protected] 4 points 1 day ago

This reminded me of an anecdote from maybe 6 years ago. I was setting up and testing a small network and a couple devices to install for a customer, let's say the subnet was 192.168.2.0/24.

Weird things were happening, I was being lazy and wasn't directly connected to the network, may have setup a VPN between devices somewhere; can't really remember. But pings would sometimes drop or blow out to 100's ms.

I eventually ended up disconnecting that network entirely, then the pings continued and got more stable?? WTF! I need we didn't have that subnet in use, even checked before setting it up. In the time between checking and the issues happening, someone in Sydney somewhere had stuffed up on their router and exposed there LAN to the internet without any Firewalls, just available.

Scanned and found all the IPs in use and in them found a printer. Connected to it and printed a page saying I'm from company XYZ and found all these devices available, and to either contact their IT and resolve it ASAP or my company to help. About an hour later it seemed to be resolved.

It was an interesting day.

[-] [email protected] 3 points 1 day ago

Uh... you can't just "expose a LAN network to the Internet" in this manner. Local subnets aren't routable over the Internet, so you can't just enter 192.168.2.3 and end up on somebody else's private LAN.

https://www.geeksforgeeks.org/computer-networks/non-routable-address-space/

They would have needed to either have all their internal devices being assigned public IP's or had NAT+firewall rules explicitly routing ports from their outside address(es) to the inside ones. The former is unlikely as normally ISPs don't allocate that many to a given client, or at least not by DHCP. the latter would require a specific configuration mapping the outside addresses/ports to inside devices, likely on a per device+port basis.

Either your story is missing key details or you've misunderstood/made-up something.

load more comments (1 replies)
[-] [email protected] 18 points 1 day ago

Reading these incredible comments has revealed a large piece of what was named as the reason for lemm.ee shutting down.

[-] [email protected] 102 points 1 day ago* (last edited 1 day ago)

The replies in this thread are disturbing, giving me a sense that Lemmy has a misogyny problem; maybe I was naïve, but I expected outrage about 4chan doxxing women trying to protect one another, instead I see lots of revenge enjoyment as if being doxxed on 4chan is justice for ... warning one another about dangerous men they encounter when dating?

The inability to empathize and take seriously the threats posed to women or to understand their motivation to protect one another is alarming.

There is no good faith extended, but also no evidence presented that instead of safety the app was just for gossip, it's just taken as assumed that women are wrong for using Tea and they all deserve to be doxxed.

[-] [email protected] 11 points 1 day ago

Lemmy is full of people with a lot of technical knowledge, who look down on anyone without it. Just look at their responses to someone complaining and an issue on Windows, it's just a hundred people telling you what Linux distro they use.

It's not so much mysogyny, they just can't pass up the opportunity to be smug about something.

[-] [email protected] 15 points 1 day ago

It isn't the women who are wrong; it's the app developer and 4chan. But setting aside the data breach, creating a Yelp for dating is a ticking time bomb. They were going to get sued out the ass, data breach or no data breach. I don't know how many times this needs to happen, but I guess web developers have the memory of goldfish. There have been several attempts at something similar that got shut down for the obvious reasons. Making a website that rates human beings is always going to be a legal minefield.

[-] [email protected] 35 points 1 day ago

Your comment was on top for me in my app, so I was like "oh how bad could it be.". Holy shit you're not wrong, there's some disgusting comments that are getting voted up.

I'm low-key disappointed and appalled by these community members who believe these women "deserve" it for ... Trying to help each other be safer?

[-] [email protected] 20 points 1 day ago* (last edited 1 day ago)

saw this happening here, saw it happening in reddit threads on the topic, saw it all over the media cycle in the comments.

i agree, people’s visceral backlash against this app is steeped in a deep misogyny. most of these comments have a vapid absence of any sort of even basic recognition towards these women as people. talking about them like they’re abstract figures or test subjects up in here.

watching people take somewhat valid privacy concerns as an excuse to let loose their most toxic feelings towards women used to be the sort of thing only losers or emboldened megalomaniacs did in public, even just a decade ago.

in the past years i’ve just seen all my peers, regardless of political affiliation, manipulated into a cult of outrage that serves as another hamster wheel upon which capital may spin.

imtiredboss.png

[-] [email protected] 16 points 1 day ago

The Tea app is agnostic. While its purpose and main use case was made for the safety of women in the dating scene, it was inevitably used to spread exaggerated or misleading information about otherwise innocent men. Imagine being a privacy-conscious individual, and breaking up with a toxic woman. She could go on to spread lies about you and even upload pictures of you to the reverse image search/ai. So even if you were doing everything right from a privacy standpoint, you’d still end up in someone’s private database, subjected to ai training, shared with the government, or who knows what. While I do see the purpose of apps like these, they can effectively take away someone’s privacy/dignity without them even knowing about it. Now imagine being a 4channer, someone probably even more privacy-conscious than lemmings, and possibly experiencing mental disorders like paranoid schizophrenia or autism; of course they’re drawn to hacking an app that would destroy their privacy. They are not sane individuals, so this event really was inevitable.

[-] [email protected] 29 points 1 day ago

I'm all for groups of safe spaces for women. Especially when it's designed to keep them safe while dating. I have my doubts that Tea was that. Even if it was advertised as such, "tea" is slang for the word gossip. I've heard stories from several sources that it was used to dox people as well. Not saying what happened to the users is right. I think some users here are just feeling smug that this might cause the app to fail or shut down.

[-] [email protected] 11 points 1 day ago* (last edited 1 day ago)

The app enables the photos to be run through a reverse image search, enabling them to run a basic background check, check against public sex offender databases, and check for photos that might get flagged as being used in “catfishing” — misrepresenting one’s identity online.

The app also features a “Tea Party Group Chat,” which allows users to directly share information about men, and has a rating function, which allows users to share their experiences with Yelp-style reviews, awarding men a “green flag” or a “red flag.”

https://www.cnn.com/2025/07/25/us/tea-app-dating-privacy-cec

It's a bit like Rate My Professor, but for dating.

Honestly I cyncially expect this kind of app might inevitably exist for rating people of all genders (or that dating apps might incorporate this Uber-style rating system), but the reason this app exists has directly to do with the violence women face from intimate partners.

The point is that men who are enjoying the doxxing of women who have used this app are ignoring the context, or even have a warped sense of the context, as if this is narrowly about (legitimate) privacy concerns and the harms caused by the app.

Even if the concerns about the app are justified, the revenge enjoyment betrays a view much harder to defend, that all the women who used the app are equally cupable, or that doxxing women using the app is equivalent to women doxxing abusive men through the app.

Men are not all equally privileged, but there is a broad inequality both to how violence is distributed and how that plays out in dating situations. Women are not wrong to fear men. One in three women have experienced sexual or physical violence, most of that violence being perpetuated by men.

Since this is the context for the use of this app, it's not neutral to doxx its users or to claim it's fair because men feel (legitimate) concerns about the app's privacy violations.

[-] [email protected] 13 points 1 day ago

I agree 100% that women face many more dangers especially in the dating scene than men. I'm all for having resources available for them to remain as safe as possible.

I don't see how a Rate My Professor type app would work well for dates. I feel like people would only spend the time to rate poor dates. If you had a really good date with someone, you would presumably start dating them so why would you let everyone else know they are a good person to go out with? I have no doubt there are some awful people out there that others should be warned about, but this type of app is a bit too risky to justify that in my opinion.

The background check feature sounds much more legit, but I don't think a group chat feature needs to exist along side it.

All that being said, anyone enjoying the doxxing of others is just an asshole. There's definitely nothing fair about it from either side.

load more comments (1 replies)
[-] [email protected] 4 points 1 day ago

Yeah, naming it "Tea" is really the cherry on top. I'd love to know more about the people behind this. It's hard to believe that anybody would be this oblivious. I guess the same kind of people who wouldn't secure their database.

load more comments (4 replies)
[-] [email protected] 9 points 1 day ago

Well lets be honest if someone made a gender inverse version ofctea many people would b concerned about what is being shared on the app. Honestly i find tesla disturbing and the 4 chan doxing dangerous. Both sides can be bad.

[-] [email protected] 5 points 1 day ago

sorry, are men concerned for their safety dating women such that a gender inverted version of this app makes sense? Your ignorance is what I'm talking about here ...

[-] [email protected] 14 points 1 day ago

The need for it was not part of my point. The point was a gender flipped app would of course cause some outrage. Immediately there would be people cry "it's just for doxxing, stalking and revenge porn".

But to engage in some good Faith dialoige. Are some men concerned for their safety, yes.

load more comments (2 replies)
[-] [email protected] 10 points 1 day ago

I think you are misunderstanding why people are upset.

It's horrible that these women were doxxed.

It's also horrible that a subset of women were doxxing men, which is what brought this negative attention to the site.

Misogyny is real in our society, misandry is real.

Saying things happen for sexist reasons when it was for a logical reason does a disservice to movements that seek equality.

The internet also cheered on the 4chan PII leak that happened recently, not becauase it's a male dominant space, but because they do shitty things like dox people.

[-] [email protected] 12 points 1 day ago

Tea could easily be used for two extremely different purposes:

  • Legitimate use to inform and protect women from abusive men
  • Illegitimate use to spread misinformation (libel!) about men with no verification of truth or reasonable appeal process

The idea of Tea isn't bad-- I've thought about the potential utility of similar apps myself-- but most people who are reacting badly are recognizing that it's a nearly impossible moderation problem that will be used for bad things too.

[-] [email protected] 8 points 1 day ago

of course, the app has obvious problems, but I don't see that as justifying the gloating and sense of revenge enjoyment happening.

Instead I see a kind of discontent about women I find concerning, which seems ignorant of the widespread violence women experience or what it's like for women who take risks when dating men.

Men are not all equally problematic or privileged, but they are generally in a position of power relative to women and are acting like the victims here.

They should direct their discontent to patriarchy which creates the situation where violence against women is dismissed or accepted, and which motivates women to use apps to check if the person they are dating has a history of violent behavior.

Patriarchy which perpetuates the narrative that men are natural predators and women natural prey is what victimizes men here, not the women who rightfully fear and feel victimized by the minority of men who are violent.

load more comments (5 replies)
[-] [email protected] 7 points 1 day ago

I've been seeing a lot of misogony here the past week or so. It's disheartening.

load more comments (5 replies)
[-] [email protected] 18 points 1 day ago

Never upload PII to social media

Your privacy is not legally protected.

[-] [email protected] 25 points 1 day ago

This is why there should be a nationwide rule that PII data should be deleted after the users identity has been verified

[-] [email protected] 25 points 1 day ago

What are the chances of this being the main reason for the app's existence?

[-] [email protected] 27 points 1 day ago

Seeing as the word hack is doing a lot of heavy lifting. They didn't bother to actually secure the data and then put it on the internet for anyone to access.

[-] [email protected] 17 points 1 day ago

Hungry data privacy lawyers when they learned about Tea this week:

[-] [email protected] 156 points 2 days ago

People sign up to app intended to share personal information about others without their permission, end up having their own personal information shared without permission - the irony is impressive.

[-] [email protected] 17 points 1 day ago

I think it depends on people's intent and purpose for using this service. I'm overall not a fan of someone taking and sharing pictures of me without my consent, or making claims that can't be defended...

The group of women legitimately using it for safety is fine, in a general sense.

The group of women using it as gossip and entertainment is not.

[-] [email protected] 22 points 1 day ago* (last edited 1 day ago)

Considering that "tea" is common slang for gossip I'm not convinced there was many of the ~~latter~~ former.

load more comments (2 replies)
load more comments (1 replies)
[-] [email protected] 93 points 2 days ago

At first I was going to call bullshit because I thought you were exaggerating and being ridiculous.

Nope. That's the app. "Anonymous" sharing of pictures and info of other people. Presumably without their permission. That's fucked up.

[-] [email protected] 45 points 2 days ago

Yeah. I mean, I get it. The concept of the app makes sense. And I would be that, on average, it is/would be used for good.

On the other hand, as a guy, the idea that people are out there sharing reviews of me as a person on the open internet, and I have no way of knowing this, is deeply unsettling. Like, I haven't done anything wrong - just the whole concept feels very gross.

[-] [email protected] 26 points 1 day ago

Especially because the app is called "tea", like the slang term for gossip. The letter of the intention may have been good but the whole thing is toxic.

load more comments (11 replies)
[-] [email protected] 89 points 2 days ago

No sympathy from me whatsoever. The app was designed to allow these women to anonymously post personal information about other people. Fuck 'em. Turnabout is fair play. As my kindergarten teacher used to say, "you get what you get and you don't pitch a fit".

[-] [email protected] 29 points 1 day ago

If by "personal information" you mean sharing their experiences with certain people ... Yeah I guess.

They weren't sharing addresses and social security numbers or drivers license numbers or other things that would lead to identity theft.

How can you not have sympathy for these women getting doxxed because they wanted to help create a safer space for one another and to help each other out? That's wild.

This is far from turnabout, this is abuse.

[-] [email protected] 3 points 1 day ago

No, we mean "sharing what they claim is their experience and details of such"

Maybe they weren't sharing addresses and SSN's (though what's stopping them from doing so), but like anything online it's certainly not hard to make up, spin, or highly exaggerate a story to the detriment of the subject, but without them knowing about it.

So yeah, even if Sally Smith claims that "**Billy Jones of 125 South Street is a big loser who has undisclosed herpes, which who knows how he got it with that small dick of his", maybe the truth is that Billy refused to pay for an expensive meal on a first date it some other thing entirely.

This isn't turnabout (as the leak wasn't intentional), and not abuse either, but it may be a bit karmic.

** Names and story entirely made up for example purposes

load more comments (1 replies)
[-] [email protected] 11 points 1 day ago

How dare they warn other women about rapists.

load more comments (3 replies)
[-] [email protected] 12 points 1 day ago

I don't quite understand the outrage in the thread. I've been looking through the comments, trying to see if this ever went beyond gossip and I can't find anything.

From my understanding the app was intended to be a safe space for women to discuss dating. Relaying information about dangerous individuals, or people who cheat. I can imagine that things might have gotten slightly out of hand in regards to anonymous gossip, but is that anything compared to being doxxed? Besides, women, and men have been gossiping behind each others backs for as long as humans have existed. An anonymous app makes it significantly worse certainly, but it is what it is. This behavior is always going to exist for better or for worse. For example, people already discuss this on sites like fetlife since the risk of ending up with someone who wants to batter you for the sake of battering you is somewhat high there.

Surely we can have some sympathy for people who have had their identifications doxxed by 4chan who haven't done anything worse than a bit of toxic gossip at most?

[-] [email protected] 13 points 1 day ago

you're right as far it's intentions go. I honestly couldn't give a rats ass about what it intended to do what I have a MASSIVE issue with is that it did the EXACT opposite of what it "intended to do."

It didn't provide Women with a "safe space" because women's government issued IDs and their personal selfies were, quite literally, OUT IN THE OPEN. It opened Women who used the app to way more harm.

Their database, and i'm being extremely generous when I call it that, wasn't even password protected. not even a simple plain text password like "password123" there was NO password. at all. period. All I would have had to do was simply see where the app sent the scanned ID's, open a terminal, SSH into it WITHOUT A PASSWORD OR KEY, and then I now have access to the IDs of over 13,000 Women. Hell I probably wouldn't have even had to SSH into it, probably could have opened the damn thing from a web browser.

So when the media is saying 4chan "leaked" this stuff again they're being generous. It's like if you were walking down the street that Tea lived on and you noticed they left their door wide open so you decided to peak your head inside and while peaking your head in you noticed a box right by the door that had thousands of IDs in it so you picked up the box and walked out. Chances are other people got to this box before 4chan did, many people probably did, it's just that 4chan were the only ones to say "Hey I found this house with a wide open door and decided to pick up this box with all these IDs in it, neat huh?"

load more comments (4 replies)
[-] [email protected] 76 points 2 days ago

Maybe I'm just getting old, but the idea of "verifying" my real identity to a faceless website or mobile app is abhorrent.

I guess it doesn't help that governments in some countries (UK, Australia that I know of) are encouraging this bullshit with Trojan horse laws claiming to protect children from adult websites / social media.

Can't help but think there is also an element of pot meet kettle here, when users of an app designed to dox and slander people without their knowledge are now the ones getting doxxed themselves.

load more comments (7 replies)
[-] [email protected] 18 points 1 day ago

I had been under the impression that 4chan had also basically died due to their own site getting hacked

[-] [email protected] 27 points 1 day ago

That which has no life can never truly die (or something)

load more comments (1 replies)
[-] [email protected] 17 points 1 day ago

the site got hacked and most of the admins were revealed to have .gov emails but everyone pretty much already expected that so nobody actually cared and it's back to business as usual

load more comments (2 replies)
[-] [email protected] 6 points 1 day ago

It's not like it was a complicated site, they just rebuilt it in some modern framework on the cheap.

[-] [email protected] 95 points 2 days ago* (last edited 2 days ago)

Wow that was fast.

I did not even know this app existed untill about 8 hours ago.

Already comprimised.

EDIT: Also, lol, this arguably is not even largely a hack.

These idiots just had everything stored in a fucking publically accesible firebase bucket... amazing.

They didn't delete anything they claimed to.

Either way you look at it, anywhere on the spectrum from:

A ] A bunch of women reasonably concerned for their safety

B ] A bunch of gossip mongers

... well, they've now all been doxxed, ironic from each angle.

What a fucking disaster.

load more comments (4 replies)
[-] [email protected] 47 points 2 days ago

load more comments
view more: next ›
this post was submitted on 25 Jul 2025
545 points (100.0% liked)

Technology

73316 readers
23 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]