evacide

There is a new Tea data breach and it includes private messages, because of course it does.

I also nearly dislocated an eyeball with my side-eye when I read that Tea requires users to upload a selfie to "prove they are a woman."

https://www.404media.co/a-second-tea-breach-reveals-users-dms-about-abortions-and-cheating/

A Second Tea Breach Reveals Usersโ€™ DMs About Abortions and Cheating

The more than one million messages obtained by 404 Media are as recent as last week, discuss incredibly sensitive topics, and make it trivial to unmask some anonymous Tea users.

404 Media
Jul 28 at 6:23pmWeb
Show threadtriswebJul 28
@evacide Wow, that's atrociously incompetent.
Show threadJonas WisserJul 28

@evacide Yeah, I would LOVE to see the internal guidance on what markers to use in making that decision. Because surely that decision is being made by a human being and not an algorithm, right?

โ€ฆright? ๐Ÿ™ƒ

Show threadgullevek โ˜ข๏ธ ๐Ÿ‡ฏ๐Ÿ‡ตJul 28
@jwisser @evacide
Show threadKatherine ThomasJul 28
@evacide the optimist in me says they're making sure the faces look alike and looking for the gender marker? Obviously still problems there
Show threadevacideJul 28
@harborsec So much to unpack.
Show threadTed GouldJul 28
@evacide let your eye get some rest, you'd undoubtably need it for something crazy next week.
Show threadBrandonJul 28
@evacide Different book, same story
Show threadBrynawelJul 28

@be_far @evacide

I am laughing so hard about this.

Show threadMatt MascarenhasJul 28
@be_far @evacide Petition to make 91.66% the new 52โ€“48. ๐Ÿ”
Show threadMarko VujnovicJul 29
@be_far @evacide Horribleness of this whole thing aside, the adoption of "AI" as a generic term for using computation is truly annoying.
Show threadAnneHJul 28
@evacide Oh. My. Word. Utterly, utterly irresponsible. The irony is so painful.
Show threadJoshJul 28
@evacide
Show thread/mษ™rหˆkjสŠriษ™l/Jul 28
@evacide they WHAT

that is such a bad idea on so many levels...
Show threadDavid/Dragon/Hayley๐Ÿณ๏ธโ€โšง๏ธJul 28
@evacide Oh goddammit
Show threadMaggie MaybeJul 28
@evacide is this app owned by a man? Thereโ€™s no way these โ€œleaksโ€ arenโ€™t on purpose at this point.
Show thread90s Script KiddieJul 28
@evacide Paywall free link: https://web.archive.org/web/20250728172154/https://www.404media.co/a-second-tea-breach-reveals-users-dms-about-abortions-and-cheating/
A Second Tea Breach Reveals Usersโ€™ DMs About Abortions and Cheating

The more than one million messages obtained by 404 Media are as recent as last week, discuss incredibly sensitive topics, and make it trivial to unmask some anonymous Tea users.

404 Media
Show threadSamantaz FoxJul 28

@evacide Can I qualify for a replacement desk? I broke mine due to head-desking way too hard...

How people can make so poor engineering decisions is beyond me.

Show threadiptJul 28

@evacide Any site which claims "No screenshots" (trivially bypassed) as a feature clearly cares more about the appearance of security than actual security.

This also shows why requiring users to submit IDs is a recipe for disaster.

Show threadiptJul 28
It also assumes trans women can get identification with their correct gender, which is getting harder in the US and UK. Though, given the owners' disregard for their users safety, I doubt they care.
Show threadmike805Jul 28

@ipt @evacide Article mentions a new API key. So the breach was an API key (S3 bucket or similar?) burned into the app, rather than the app calling a backend which gates access to the data?

At what point should extreme security negligence be a prosecutable offense?

Show threadSomeVeganCheeseIsOkJul 28
@evacide for real we're trying to use photos to determine gender? That's gonna be a HUGE success, I'm sure. ๐Ÿ˜‚
Show threadkatana crimsonJul 28
@evacide they also did not seemingly strip EXIF metadata, if some of what I was seeing elsewhere was to be believed - which opens up the risk of location being tied to those users.
Show threadyavuzeJul 28
@evacide It wouldn't be so bad if they kept their promise to DELETE the selfies. Now there is a ranking system for selfies and a map that shows where users are with all of their personal information.
Show threadLegit_SpaghettiJul 28
@evacide There's inevitably going to be a lawsuit, and if their legal team isn't significantly more competent than their developers, then I think Tea's demise might actually create the kind of legal precedent that's going to make other anonymous review apps think long and hard on whether they should just pivot to something more respectable, like laundering cryptocurrency or online gambling.
Show threadBryan (he/him) ๐Ÿ‡บ๐Ÿ‡ธ ๐Ÿณ๏ธโ€๐ŸŒˆJul 28

@evacide

From what I understand from various reports, the first "breach" was not actually a breach and instead was just data not being secured at all. Was this second "breach" actually a breach?

Also, here is the archived link that doesn't require you to sign in to read:

http://archive.today/2025.07.28-202802/https://www.404media.co/a-second-tea-breach-reveals-users-dms-about-abortions-and-cheating/

Show threadGeneralX โณJul 28

@resplendent606 @evacide
Both incidents were issues of improper exposure.

In the first, 4chan broadcast the issue and people downloaded data...one going as far as to create a site with the data and let website visitors "score" the selfies (people are horrendous).

In the second, a security researcher blew the whistle privately and responsibly, but the way it goes is to assume someone malicious may have discovered the issue as well.

Show threadvvrongerJul 28
@evacide why use tea in the first place???????? seems like a bait for putting your ID and face in it
Show threadevacideJul 28
@c_majalis I'm not here for victim blaming.
Show threadvvrongerJul 28
@evacide not their fault either tho
Show threadTofu GolemJul 28

@evacide
They are wrecking the environment to violate our privacy in order to put more of us out of work.

I take it back. The cyberpunk authors were not that accurate. It turns out that wealthy people are substantially more evil than even they predicted.

Show threadLudwig VielfrassJul 28
@tofugolem @evacide We're not even getting a cool-looking hellscape out of it.
Show threadNull HypothesisJul 29
@tofugolem @evacide
Almost like some sci-if dystopia where the spoilers have ruined the environment to watch the survivors fight amongst themselves for the chance to work at the last farm or factoryโ€ฆ
Show threadEmmy, GendermancerJul 28
@evacide I guess if I ever want an outside opinion on whether I pass or not, I can try to join Tea. ๐Ÿ˜
Show threadEVHasteJul 29
@evacide God, 404 Media is just *crushing it*
Show threadcyJul 29
women's
dating
safety
app
Help I'm being drowned in red flags there's so many of them aaaarrrgggh!
Show threadNoxy ๐Ÿพ๐Ÿณ๏ธโ€๐ŸŒˆJul 29
@evacide Tea is gonna have blood on its hands from this shit, it pains me to say.
Show threadFrost, glow wolf ๐ŸบJul 29
@evacide Good gods. Transphobic AND creepy-surveillancey.
Show threadJo with elbows up & chin upJul 29

@evacide it sounds completely unsecured. Fraudulent. the things it stated it was there to do, be a safe space, was not made safe at all. Extreme negligence. Every single client now is FAR MORE at risk, from having used the app.
Women should never trust men to give us the tools we need to protect ourselves.

Criminally negligent imo.