The Tea app data breach has grown into a fair bigger leak, with the stolen information now shared on hacking boards and a second database found that allegedly incorporates 1.1 million non-public messages exchanged between the app’s members.
The Tea app is a women-only courting security platform the place members can share evaluations about males, with entry to the platform solely granted after offering a selfie and authorities ID verification.
On Friday, an nameless consumer posted on 4chan that Tea used an unsecured Firebase storage bucket to retailer drivers’ licenses and selfies uploaded by members to confirm they’re girls, in addition to images and pictures shared in feedback.
The consumer shared a Python script that could possibly be used to obtain the info from the now-secured storage bucket.
In complete, over 59 GB of knowledge was uncovered within the leak, with Tea confirming in a public assertion that it impacts customers who signed up earlier than 2024.
“A legacy information storage system was compromised, leading to unauthorized entry to a dataset from previous to February 2024,” reads a security breach announcement.
“This dataset consists of roughly 72,000 pictures, together with roughly 13,000 selfies and photograph identification submitted by customers throughout account verification and roughly 59,000 pictures publicly viewable within the app from posts, feedback and direct messages.”
The platform states that selfies weren’t deleted as anticipated to adjust to legislation enforcement necessities associated to cyber-bullying prevention.
Menace actors have now begun sharing torrents of the leaked information on hacking boards, doubtlessly exposing the app’s members to social engineering assaults.
BleepingComputer has confirmed that the shared information incorporates driver’s licenses, selfies, and message attachments.
To make issues worse, 404 Media now experiences that an extra database was discovered containing 1.1 million non-public messages despatched between customers on the Tea platform.
This database incorporates far more latest information, starting from 2023 to final week, and reportedly consists of messages discussing delicate subjects, corresponding to these about abortions, dishonest husbands, and two-timing boyfriends.
Kasra Rahjerdi, the researcher who found the brand new database, informed 404 Media that any Tea consumer may entry the saved consumer information utilizing their very own API key.
In accordance with 404 Media, it is potential to determine customers based mostly on social media profiles, cellphone numbers, or different private particulars revealed within the messages.
What was meant to be a protected house for ladies has now grow to be a software to embarrass them, with somebody even making a “facesmash”-style web site the place guests can price the selfies uncovered within the leaked information.
Tea says they proceed to work with third-party cybersecurity specialists to comprise the incident and conduct an investigation into the assault.
The app says that it additionally notified legislation enforcement, who’re aiding with the investigation.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud security drives enterprise worth.
This free, editable board report deck helps security leaders current threat, influence, and priorities in clear enterprise phrases. Flip security updates into significant conversations and quicker decision-making within the boardroom.
