Source URL: https://simonwillison.net/2025/Jul/26/official-statement-from-tea/#atom-everything
Source: Simon Willison’s Weblog
Title: Official statement from Tea on their data leak
Feedly Summary: Official statement from Tea on their data leak
Tea is a dating safety app for women that lets them share notes about potential dates. The other day it was subject to a truly egregious data leak caused by a legacy unprotected Firebase cloud storage bucket:
A legacy data storage system was compromised, resulting in unauthorized access to a dataset from prior to February 2024. This dataset includes approximately 72,000 images, including approximately 13,000 selfies and photo identification submitted by users during account verification and approximately 59,000 images publicly viewable in the app from posts, comments and direct messages.
Storing and then failing to secure photos of driving licenses is an incredible breach of trust. Many of those photos included EXIF location information too, so there are maps of Tea users floating around the darker corners of the web now.
I’ve seen a bunch of commentary using this incident as an example of the dangers of vibe coding. I’m confident vibe coding was not to blame in this particular case, even while I share the larger concern of irresponsible vibe coding leading to more incidents of this nature.
The announcement from Tea makes it clear that the underlying issue relates to code written prior to February 2024, long before vibe coding was close to viable for building systems of this nature:
During our early stages of development some legacy content was not migrated into our new fortified system. Hackers broke into our identifier link where data was stored before February 24, 2024. As we grew our community, we migrated to a more robust and secure solution which has rendered that any new users from February 2024 until now were not part of the cybersecurity incident.
Also worth noting is that they stopped requesting photos of ID back in 2023:
During our early stages of development, we required selfies and IDs as an added layer of safety to ensure that only women were signing up for the app. In 2023, we removed the ID requirement.
Tags: privacy, security, ai, generative-ai, llms, vibe-coding
AI Summary and Description: Yes
Summary: The text discusses a significant data leak incident at Tea, a dating safety app for women, due to an unsecured Firebase cloud storage bucket. This breach exposed sensitive user data, including personal images and identification documents. The incident highlights concerns about data security practices and the implications of outdated coding methodologies.
Detailed Description:
The statement from Tea outlines the repercussions of a recent data leak that compromised sensitive user information. Here are the major points of significance:
– **Incident Overview**:
– A legacy Firebase cloud storage bucket was left unprotected, resulting in unauthorized access to a dataset.
– The dataset includes around 72,000 images, notably 13,000 selfies and photo identification submitted by users, as well as 59,000 images from app posts and communications.
– **Privacy Concerns**:
– The unauthorized access to driver’s license photos represents a serious breach of trust, particularly as many of these images contained EXIF location data, potentially putting users at risk if this information circulates on the dark web.
– **Critique on Coding Practices**:
– There has been commentary associating this breach with “vibe coding”, a term referring to an unsystematic approach to software development focused on aesthetics over security.
– However, the company clarified that the legacy issues affecting this breach were established before the advent of vibe coding methodologies and were related to code written prior to February 2024.
– **Security Measures Implemented**:
– After discovering the issue, Tea claims to have migrated to a more robust and secure solution, effectively ensuring that users who joined after the migratory update would not be affected by the breach.
– The company also noted that it ceased requesting ID photos back in 2023, suggesting a shift towards better user privacy practices.
– **Implications for Security Professionals**:
– This incident illustrates the critical need for continuous security assessments, particularly for legacy systems.
– Security professionals should pay close attention to how data is managed and stored, ensuring sensitive information is not left vulnerable due to outdated practices.
– It serves as a case study regarding the risks tied to user data management in online applications, emphasizing the need for stringent security protocols that comply with contemporary standards.
This incident serves as a stark reminder of the vulnerabilities associated with cloud storage solutions and the necessity for stringent cybersecurity measures, especially as the demand for personal data increases in online platforms.