A few days after thousands of user images and locations leaked in apparent archived app data, only female security app tea is being exposed at a larger scale than originally reported.
In addition to exposing thousands of user verification images and personal IDs, which were later abused by users on platforms such as 4chan, the app’s recent security flaws have made it possible for hackers to access private messages between users. An independent security researcher verified by 404Media was able to extract conversations from a second database sent last week, including sensitive information such as shared phone numbers, conversations about intimacy, and discussions about abortion.
Grindr bans “No Zionists” in BIOS, but still allows racism and fat language
Researcher Kasra Rahjerdi also gained access to backend application features, such as the ability to send large-scale push notifications to user devices. They told 404Media that the second vulnerability persisted until late last week, around the time of reporting the initial hack.
Mixable light speed
Tea said in a statement released on Friday that it is addressing the first database vulnerability and that it has not exposed current user data. “We are continuing our efforts to curb this incident and have conducted a comprehensive investigation with the assistance of external cybersecurity companies. We have also contacted law enforcement and are assisting their investigation. Since our investigation is in an early stage, we have no further information during this time.”
Tea apps have recently attracted popularity after the controversy over alleged “disguised” apps. Prior to the breach, some users focused on the app storing personal information (including information about the user themselves and the men discussed), while others supported only female spaces online to share stories and protect each other’s safety.
This tweet is currently unavailable. It may be loading or being deleted.
This tweet is currently unavailable. It may be loading or being deleted.
But while debate about the app’s efficiency flared, online users took advantage of the app’s vulnerable security system to target its female user base: Shortly after reporting on the first breach, hackers seized geolocation information stored in the legacy database to explicitly doxx users — who are promised anonymity upon making an account in order to more comfortable share warnings about encounters with men — and have since created a nationwide map with the locations of Tea users. Others extract personal images from databases to mock their presence on public forums, while some have created imitation apps designed for men to discuss detailed details of women’s bodies.
