Women dating safety app 'Tea' breached, users' IDs posted to 4chan

Original Article ↗ Hacker News Discussion ↗

Nature of the App: Safety Tool or Gossip/Doxxing Platform?

  • One camp frames Tea as a digital “whisper network” for women to warn each other about stalkers, abusers, and dangerous dates where formal systems (police, courts) routinely fail.
  • Others see it as a one‑sided “slam book” or Kiwi Farms–style reputation weapon: anonymous, unverified accusations against individuals who often don’t know they’re listed, with no meaningful recourse.
  • Critics argue that even if intentions are safety, incentives for revenge, attention, and mob justice are strong, making systematic abuse likely at scale.
  • Several note similar apps (Peeple, Lulu) and invite‑only WhatsApp/Telegram groups; informal groups rely on trust webs, while public apps cannot.

Breach Mechanics and Scope

  • Commenters say this wasn’t a sophisticated hack but an egregious misconfiguration: ID photos and other data in a public Firebase bucket, API keys in the shipped app, and unencrypted data in a publicly reachable database.
  • Shared links describe 20–60 GB torrents including driver’s licenses, selfies, GPS metadata, chat logs, and a geo‑map of ~30k users.
  • Some suggest an “old bucket” explanation, but others note the volume and recency of data make that implausible. Many call it “vibe coded slop.”

IDs, PII, and Changing Norms

  • Strong pushback against normalizing ID uploads to random apps; nostalgia for earlier internet norms of pseudonymity.
  • Others note ID scans are already routine (employment checks, hotels, alcohol purchases), so leaks are inevitable; treat PII as “poison” or “currency” and minimize storage/retention.
  • UK age‑verification laws and similar moves are cited as previews of how badly this can go when ID is tied to sensitive activity.

Law, Liability, and Platforms

  • Widespread calls for heavy fines, GDPR‑style rules, and even personal liability for executives and possibly engineers when sensitive data is carelessly stored and leaked.
  • Section 230 is debated: general consensus that Tea likely has platform immunity in the US, while individual posters remain exposed to defamation suits; outside the US (esp. EU), legality is seen as doubtful.
  • Many question why Apple/Google allowed an app built around doxx‑adjacent, unverified accusations to reach the top charts while enforcing strict standards on other apps; accusations of double standards and pure profit motive.

Gender, Safety, and Double Standards

  • Heated argument over whether the app primarily protects women from real, under‑prosecuted violence or primarily enables false/vengeful allegations that can quietly destroy men’s reputations (e.g., hiring decisions influenced by the app).
  • Some emphasize high rates of violence against women and low conviction rates; others highlight domestic abuse and false accusation risks for men, arguing a male‑only “review women” app would be instantly banned.
  • A recurring theme: reputation systems without accountability for accusers are inherently dangerous, regardless of which gender they target.

Broader Lessons and Proposals

  • Suggestions include mandatory third‑party security audits above a user threshold, forced public postmortems after breaches, prominent in‑app breach disclosures, and app‑store level security certifications.
  • There is tension between: “users should know better than to upload IDs” and “blaming users for trusting an ostensibly safety‑focused app is victim blaming.”
  • Many expect major lawsuits; some hope this becomes a turning point in treating data exposure as real, punishable harm rather than an acceptable cost of doing business.