Women's Tea App hacked by 4klan UPDATE 7/28: HACKED AGAIN! DMS LEAKED!

[RamsayBolton]

https://www.404media.co/women-dating-safety-app-tea-breached-users-ids-posted-to-*****/

Tea, which claims to have more than 1.6 million users, reached the top of the App Store charts this week and has tens of thousands of reviews there. The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie.
“Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It's a public bucket,” a post on ***** providing details of the vulnerability reads. “DRIVERS LICENSES AND FACE PICS! GET THE fukk IN HERE BEFORE THEY SHUT IT DOWN!”
The thread says the issue was an exposed database that allowed anyone to access the material. While reporting this story, a URL the ***** user posted included a voluminous list of specific attachments associated with the Tea app. 404 Media saw this list of files. In the last hour or so, that page was locked down, and now returns a “Permission denied” error.

404 Media verified that Tea does contain the same storage bucket URL that ***** claims was related to the exposure. 404 Media did this by downloading a copy of the Android version of the app and decompiling its code.

The ***** post includes a photo of four women’s drivers’ licenses that the ***** user said they redacted. But comments in the ***** thread indicate that many more photos of Tea users have been exposed, with one person claiming they have downloaded thousands. We’ve also seen ***** users share dozens of photos of women they claim they downloaded from the database, which all share the same image dimensions and file naming format we saw in the file list in the exposed Google Firebase bucket. 404 Media did not load any images from the database itself.

UPDATE 7/28:

Tea app leak worsens with second database exposing user chats

The Tea app data breach has grown into an even larger leak, with the stolen data now shared on hacking forums and a second database discovered that allegedly contains 1.1 million private messages exchanged between the app's members.

www.bleepingcomputer.com

The Tea app data breach has grown into an even larger leak, with the stolen data now shared on hacking forums and a second database discovered that allegedly contains 1.1 million private messages exchanged between the app's members.

This database contains much more recent data, ranging from 2023 to last week, and reportedly includes messages discussing sensitive topics, such as those about abortions, cheating husbands, and two-timing boyfriends.

Kasra Rahjerdi, the researcher who discovered the new database, told 404 Media that any Tea user could access the stored user data using their own API key.

According to 404 Media, it's possible to identify users based on social media profiles, phone numbers, or other personal details revealed in the messages.

 

[Lonj]

Damn that's messed up

 

[klientel]

 

[Formerly Black Trash]

provide your own personal info to snitch on other ppl

Jesus Christ

 

[KingsOfKings]

 

[KingsOfKings]

I wonder if papa pimp was/is on there

 

[Formerly Black Trash]

 

[KingsOfKings]

I shouldnt laugh but them chicks should've known better

 

[Toe Jay Simpson]

*credits scroll*

“Jodi will return in…someone else’s bed”

 

[JNew]

boys vs girls

 

[Animal House]

Some people just get no p*ssy

 

[IronFist]

big 4 came through and crush the building.

all they personal info though smdh

 

[Canon]

they really got all the verification images


about to drag these hoes to hell and back

 

[The Intergalactic Koala]

So chan....spilled the tea.....



I'll see myself out

 

[AyBrehHam Linkin]

Yikes, that's why it's imperative these startups gotta heavily invest in security MSPs or have some type of app security guy .