Submitted 1 day ago by bytesonbike@discuss.online to technology@lemmy.world
https://www.404media.co/women-dating-safety-app-tea-breached-users-ids-posted-to-4chan/
Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.
Never upload PII to social media
Your privacy is not legally protected.
The replies in this thread are disturbing, gives me a sense that Lemmy has a misogyny problem; maybe I was naïve, but I expected outrage about 4chan doxxing women trying to protect one another, instead I see lots of revenge enjoyment as if being doxxed on 4chan is justice for … <checks notes> warning one another about dangerous men they encounter when dating?
The inability to empathize and take seriously the threats posed to women or to understand their motivation to protect one another is alarming.
There is no good faith extended, but also no evidence presented that instead of safety the app was just for gossip, it’s just taken as assumed that women are wrong for using Tea and they all deserve to be doxxed.
The Tea app is agnostic. While its purpose and main use case was made for the safety of women in the dating scene, it was inevitably used to spread exaggerated or misleading information about otherwise innocent men. Imagine being a privacy-conscious individual, and breaking up with a toxic woman. She could go on to spread lies about you and even upload pictures of you to the reverse image search/ai. So even if you were doing everything right from a privacy standpoint, you’d still end up in someone’s private database, subjected to ai training, shared with the government, or who knows what. While I do see the purpose of apps like these, they can effectively take away someone’s privacy/dignity without them even knowing about it. Now imagine being a 4channer, someone probably even more privacy-conscious than lemmings, and possibly experiencing mental disorders like paranoid schizophrenia or autism; of course they’re drawn to hacking an app that would destroy their privacy. They are not sane individuals, so this event really was inevitable.
I’ve been seeing a lot of misogony here the past week or so. It’s disheartening.
I think you are misunderstanding why people are upset.
It’s horrible that these women were doxxed.
It’s also horrible that a subset of women were doxxing men, which is what brought this negative attention to the site.
Misogyny is real in our society, misandry is real.
Saying things happen for sexist reasons when it was for a logical reason does a disservice to movements that seek equality.
The internet also cheered on the 4chan PII leak that happened recently, not becauase it’s a male dominant space, but because they do shitty things like dox people.
Your comment was on top for me in my app, so I was like “oh how bad could it be.”. Holy shit you’re not wrong, there’s some disgusting comments that are getting voted up.
I’m low-key disappointed and appalled by these community members who believe these women “deserve” it for … Trying to help each other be safer?
saw this happening here, saw it happening in reddit threads on the topic, saw it all over the media cycle in the comments.
i agree, people’s visceral backlash against this app is steeped in a deep misogyny.
watching people take somewhat valid privacy concerns as an excuse to let loose their most toxic feelings towards women used to be the sort of thing only losers or emboldened megalomaniacs did in public, even just a decade ago.
in the past years i’ve just seen all my peers, regardless of political affiliation, manipulated into a cult of outrage that serves as another hamster wheel upon which capital may spin.
imtiredboss.png
I’m all for groups of safe spaces for women. Especially when it’s designed to keep them safe while dating. I have my doubts that Tea was that. Even if it was advertised as such, “tea” is slang for the word gossip. I’ve heard stories from several sources that it was used to dox people as well. Not saying what happened to the users is right. I think some users here are just feeling smug that this might cause the app to fail or shut down.
The app enables the photos to be run through a reverse image search, enabling them to run a basic background check, check against public sex offender databases, and check for photos that might get flagged as being used in “catfishing” — misrepresenting one’s identity online.
The app also features a “Tea Party Group Chat,” which allows users to directly share information about men, and has a rating function, which allows users to share their experiences with Yelp-style reviews, awarding men a “green flag” or a “red flag.”
www.cnn.com/2025/07/…/tea-app-dating-privacy-cec
It’s a bit like Rate My Professor, but for dating.
Honestly I cyncially expect this kind of app might inevitably exist for rating people of all genders, but the reason this app exists has directly to do with the violence women face from intimate partners.
The point is that men who are enjoying the doxxing of women who have used this app are ignoring the context, or even have a warped sense of the context, as if this is narrowly about (legitimate) privacy concerns.
Even if the concerns about the app are justified, the revenge enjoyment betrays a much harder to defense view that all the women who used the app are equally cupable, or that doxxing women using the app is equivalent to women doxxing abusive men through the app.
Men are not all equally privileged, but there is a broad inequality both to how violence is distributed and how that plays out in dating situations. Women are not wrong to fear men. One in three women have experienced sexual or physical violence, most of that violence being perpetuated by men.
Since this is the context for the use of this app, it’s not neutral to doxx its users or to claim it’s fair because men feel (legitimate) concerns about the app’s privacy violations.
Could you share said sources? It’s irrelevant though because justifying this doxxing SHOULD mean that the entirety of 4chan is a justifiable dox target. If you don’t believe that, then you should be against it happening against Tea users. They’re at the very least guilty of the same thing (in this case. 4chan is guilty of much more heinous things than just this).
Tea could easily be used for two extremely different purposes:
The idea of Tea isn’t bad-- I’ve thought about the potential utility of similar apps myself-- but most people who are reacting badly are recognizing that it’s a nearly impossible moderation problem that will be used for bad things too.
of course, the app has obvious problems, but I don’t see that as justifying the gloating and sense of revenge enjoyment happening.
Instead I see a kind of discontent about women I find concerning, which seems ignorant of the widespread violence women experience or what it’s like for women who take risks when dating men.
Men are not all equally problematic or privileged, but they are generally in a position of power relative to women and are acting like the victims here.
They should direct their discontent to patriarchy which creates the situation where violence against women is dismissed or accepted, and which motivates women to use apps to check if the person they are dating has a history of violent behavior.
Patriarchy which perpetuates the narrative that men are natural predators and women natural prey is what victimizes men here, not the women who rightfully fear and feel victimized by the minority of men who are violent.
Why is everything we do, when we band together, seen as suspect and dangerous?
“gossip” is for safety. It’s often information that men don’t shared so it’s painted like it’s bad. Claiming women shouldn’t gossip is just more misogyny.
There is some of that happening, like when women get together and discuss how they’re being treated it’s “gossip” and inherently immoral.
I think some men might read what you’ve said and think you are denying any toxic gossip exists, it’s important to have nuance and not alienate men who otherwise would be allies, but I think overall your point is well taken.
And even if it was purely a gossip app, an eye for an eye leaves the whole world blind.
This comment is one hour old, let’s give you my SS and CC info
??
This is why there should be a nationwide rule that PII data should be deleted after the users identity has been verified
What are the chances of this being the main reason for the app’s existence?
Seeing as the word hack is doing a lot of heavy lifting. They didn’t bother to actually secure the data and then put it on the internet for anyone to access.
People sign up to app intended to share personal information about others without their permission, end up having their own personal information shared without permission - the irony is impressive.
I think it depends on people's intent and purpose for using this service. I'm overall not a fan of someone taking and sharing pictures of me without my consent, or making claims that can't be defended...
The group of women legitimately using it for safety is fine, in a general sense.
The group of women using it as gossip and entertainment is not.
Considering that “tea” is common slang for gossip I’m not convinced there was many of the latter.
It makes sense using it for safety, but I would worry about whether all the information on there is accurate. Most of the feedback on the app is probably negative, I doubt anyone would really post anything on Tea that’s positive about their former partner. But people like to believe they are in the right. Someone who got in a fight with their partner might post something on Tea that isn’t accurate, but makes them feel better since they can spin the story how they want, and make the other person at fault. However, unlike regular social media, the person being attacked by their partner on Tea has no idea that it happened, and no way to refute what was said. It promotes the opposite of any type of communication between partners after a fight or breakup. It promotes safety, but at the same time it promotes some toxicity in relationships. What would you think if you knew that if your got into a disagreement with your partner that you could end up posted on this app, without any way of arguing back?
At first I was going to call bullshit because I thought you were exaggerating and being ridiculous.
Nope. That’s the app. “Anonymous” sharing of pictures and info of other people. Presumably without their permission. That’s fucked up.
Yeah. I mean, I get it. The concept of the app makes sense. And I would be that, on average, it is/would be used for good.
On the other hand, as a guy, the idea that people are out there sharing reviews of me as a person on the open internet, and I have no way of knowing this, is deeply unsettling. Like, I haven’t done anything wrong - just the whole concept feels very gross.
This is what happens when you decide to vibecode a service with zero attention to safety or web development. This is why you don’t immediately jump onto a new service without it being vetted properly. Now one of the worst communities on the Internet is in possession of over a hundred thousand women’s driving licenses and faces. This is going to be an absolute disaster.
This is ALSO why no service should ever require or get my driver’s license information. Fuck that. Also, yet another Constance to those who can’t afford a car or want to improve the environment by living car free.
Instead, just prove you have a credit card by submitting the details. Also totally safe. Be sure to include the CVV, please!
My only exception to that are uber drivers. But then again we live in an age where somehow better help has become popular, even though they sell your data.
The only site I ever felt comfortable scanning shit like that into was a site that sold things only to military/medics/fire fighters so I had to upload my medic license and my FF cert.
Anything beyond that is a no go from me.
Now now, I like to shit on vibecoders too but let’s not pretend this is some new problem.
Idiots leave databases on cloud servers exposed all the time rather than deal with their companies often arcane rules for generating certificates
Remember when the government published SSNs in HTML? zdnet.com/…/missouri-will-not-prosecute-hacker-re…
Where do you think the AI learned it?
Like, I get that competent coders do it too, but now any skiddie with an idea can cosplay as a developer so this is going to be so much more prevelant
To be fair, I’m not sure why firebase even has a public access option. That’s a recipe for issues.
Though if it’s anything like Google Cloud Store, they hopefully make it very clear that your bucket is public.
“Vibe coded” you just made that up didn’t you, because you don’t like llms. I don’t see anything in the article about “Ai” and this service has been operating for 2 years.
My thoughts as well. But hey, it’s lemmy! Just accuse someone of doing something we hate, good to go!
The og 4chan post brought up the vibe coding. Using it as an insult to quality is wider spread than just lemmy.
Maybe I shouldn’t have used the term vibe coded. I apologize.
How is something “vetted properly” and how do I find out about that?
This is something I worry about all the time as well, especially since I’ve started to learn how to code and experienced how easy it is to mess up and send a list with all registered users to everyone opening a page. (This was in a test environment.)
As a user, there is no proper way I know of to verify an app’s security. Most apps are closed source, but even if you could view the code, what would you look for?
Both Apple and Google have a verification process for apps that are published in their app stores, but if these worked, we wouldn’t see this happening.
There are academic researchers working on apps and privacy as well, but it’s not like you can ask them for a report on an app you’re thinking of installing.
I think it basically comes down to trust. Check if a developer has messed up in the past and how they dealt with that, that sort of stuff. And for dating apps there is this interesting article: privacyguides.org/…/queer-dating-apps-beware-who-…
It’s a long read (haven’t fully read it myself yet) and it paints a bleak picture, but that’s the world we live in today.
You wait a while until something like this happens.
I honestly don’t understand what op is talking about.
Leaks happen all the time, even in billion dollar companies.
I don’t quite understand the outrage in the thread. I’ve been looking through the comments, trying to see if this ever went beyond gossip and I can’t find anything.
From my understanding the app was intended to be a safe space for women to discuss dating. Relaying information about dangerous individuals, or people who cheat. I can imagine that things might have gotten slightly out of hand in regards to anonymous gossip, but is that anything compared to being doxxed? Besides, women, and men have been gossiping behind each others backs for as long as humans have existed. An anonymous app makes it significantly worse certainly, but it is what it is. This behavior is always going to exist for better or for worse. For example, people already discuss this on sites like fetlife since the risk of ending up with someone who wants to batter you for the sake of battering you is somewhat high there.
Surely we can have some sympathy for people who have had their identifications doxxed by 4chan who haven’t done anything worse than a bit of toxic gossip at most?
you’re right as far it’s intentions go. I honestly couldn’t give a rats ass about what it intended to do what I have a MASSIVE issue with is that it did the EXACT opposite of what it “intended to do.”
It didn’t provide Women with a “safe space” because women’s government issued IDs and their personal selfies were, quite literally, OUT IN THE OPEN. It opened Women who used the app to way more harm.
Their database, and i’m being extremely generous when I call it that, wasn’t even password protected. not even a simple plain text password like “password123” there was NO password. at all. period. All I would have had to do was simply see where the app sent the scanned ID’s, open a terminal, SSH into it WITHOUT A PASSWORD OR KEY, and then I now have access to the IDs of over 13,000 Women. Hell I probably wouldn’t have even had to SSH into it, probably could have opened the damn thing from a web browser.
So when the media is saying 4chan “leaked” this stuff again they’re being generous. It’s like if you were walking down the street that Tea lived on and you noticed they left their door wide open so you decided to peak your head inside and while peaking your head in you noticed a box right by the door that had thousands of IDs in it so you picked up the box and walked out. Chances are other people got to this box before 4chan did, many people probably did, it’s just that 4chan were the only ones to say “Hey I found this house with a wide open door and decided to pick up this box with all these IDs in it, neat huh?”
None of this is what I am discussing. I’m talking about the people in the thread who are saying that these people deserved this.
Maybe I’m just getting old, but the idea of “verifying” my real identity to a faceless website or mobile app is abhorrent.
I guess it doesn’t help that governments in some countries (UK, Australia that I know of) are encouraging this bullshit with Trojan horse laws claiming to protect children from adult websites / social media.
Can’t help but think there is also an element of pot meet kettle here, when users of an app designed to dox and slander people without their knowledge are now the ones getting doxxed themselves.
California, Utah, Texas all have laws now requiring age verification to use an app store
I’d be interested to know how that works with F-Droid or Aurora.
If you think that’s the same thing, you don’t understand at least on of those things, but safe money is both…
What if they take people's biometric aka fingerprint and to view nsfw stuff you goota use the biometric and I am not talking about passkey
How does having my fingerprint prove my age.
The issue is, at some point, they have to connect your “digital you” to your self as a real person, after that they can track you, keep tabs on you. If that data was ever stolen, or a corrupt government rose to power, you’re really screwed.
What if they fucked right off and left parenting what kids do on their devices to their parents?
I had been under the impression that 4chan had also basically died due to their own site getting hacked
It’s not like it was a complicated site, they just rebuilt it in some modern framework on the cheap.
That which has no life can never truly die (or something)
the site got hacked and most of the admins were revealed to have .gov emails but everyone pretty much already expected that so nobody actually cared and it’s back to business as usual
Oh my god that’s… So stupid, i hate this time line.
Dirty water that would behave no different if you sifted out the proteins.
Wow that was fast.
I did not even know this app existed untill about 8 hours ago.
Already comprimised.
this arguably is not even largely a hack.
While I agree in principle, I think we should still call it a hack. As in “to gain illegal access to (a computer network, system, etc.)” as Merriam-Webster puts it. It shouldn’t be legal to do do this just because the website had horrible (non-existent) security. You shouldn’t be allowed to rob a house just because the door wasn’t locked.
if that’s truly how the leak happened then these people, in any reasonable jurisdiction, would be considered criminally negligent, at the least.
yay compsci ethics courses :D
boo courts failing to uphold the law >:(
Hooray two tiered legal system, huzzah!
/s/s/s
I would not under any circumstances give my drivers license to a for profit app. I don’t even like to give my email.
apparently there’s some law in the UK that mandates it now 🙄
Well UK, have the day you voted for I guess
Also California
Thank fuck for VPNs, although it now wants to show me hot milfs in Brussels.
Not sure if this is ironic that the users are now less safe after using the safety app. But I still feel bad for the users. Dating is hard enough without the fear of being harmed.
Protecting our users’ privacy and data is our highest priority. We are taking every necessary step to ensure the security of our platform
Since sensitive data was put on a public bucket, maybe they meant it was their lowest priority?
My friend came over and told me a story about this crazy date she was on. The guy love bombs her, sets her up with a massage, then in the morning, goes out and eats McDonalds alone and ghosts her. Then repeats every few weeks with love bombs.
I shared that with my discord group and someone said they know that guy too.
Im assuming that’s what Tea is for.
Wait what? How does one ghost and then repeat love bombing? Also why is eating breakfast alone remarkable? Tf is happening?
…eats McDonalds alone and ghosts her. Then repeats every few weeks with love bombs
Something something “cheat day”
I thought 4chan shut down permanently like 2 months ago?
Cancer can return after going into remission for a while.
They found someone to update the PHP version to one released this decade.
Stay classy, 4chan. /facepalm
Self proclaimed “5 star man” Dennis Reynolds is the top suspect
I made an account on this thing to lurk, bc obviously who wouldn’t be curious? I guess I’m screwed now. Rip.
JackbyDev@programming.dev 43 minutes ago
I can’t open the article, but I think I read that this was hosted on an unprotected bucket. Assuming that’s correct I wouldn’t say this was a breach. A better headline would be “Women dating safety app ‘Tea’ exposed women’s PII”.
To be 100% clear, I’m not excusing the hackers. I don’t believe it’s morally correct to publicize something because it is exposed. For folks curious about that you can look into how to ethically disclose vulnerabilities. I still view this as doxxing. I still believe what the hackers did should be a criminal offense, it’s just that I also believe the app holds a ton of the blame as well. How can you proclaim to be about keeping women safe while putting them at risk? That should be punished as well.
Like if the storage facility you trusted to hold your stuff never had locks on the doors, shouldn’t they take a lot of the blame as well as the thief who found out a door was unlocked?
hopesdead@startrek.website 40 minutes ago
The bigger problem is trying to get the mainstream that would read an article like that to understand the technical difference between hacking and accessing unsecured data.