Oh boy. I wish I didn’t have to write about this one, but news is news.

For those who don’t know, there’s a social media app out there (female only) that lets users upload names and photos of men from dating apps or social media. That info gets cross-referenced with criminal records, marital status, and crowd-sourced stories from other women who have dated them.

Here’s an ad pulled from their website:

I’m not going to get into the problems with online dating or the ethics of what this app is doing. This is a cybersecurity blog. But the reality is, the service Tea offers is controversial. Most apps are focused on defending against threat actors who want to steal data for profit. Apps like this also have to defend against people who attack for fun, to make a point, or just because they can.

And someone just did exactly that.

The Breach

Tea was recently breached. Selfie photos and government IDs of the women using the app were leaked online. The very people the app was built to protect.

This wins the award of being the first disclosure I’ve seen coming from a TikTok post. Not a news outlet, not a press release. You can only find the website link to the disclosure from their TikTok post.

What Went Wrong?

The root cause is one I’ve seen too many times: an old archive system. It’s no longer tied to revenue, so no one prioritizes securing it. But they keep it online anyway, for the sake of compliance…but is that really necessary?

Just because you’re required to store data for legal reasons doesn’t mean it has to be online and accessible at all hours of the day for the rest of time. It doesn’t. Archive it properly. Store it offline. Bring it back only when a formal legal request comes in. What you shouldn’t do is leave it sitting on a live server forever just so you can run a report when needed.

My guess is that’s what happened here.

And now, all the personal info meant to be protected is sitting in one central place. That central place got breached. Now that data is out there, and it’s easy to use for the wrong reasons.

Will Tea Recover?

Probably.

We still have a long way to go when it comes to cybersecurity. But not if consumers don’t care.

The top comment on that TikTok expresses my concerns.

Want to read more about cybersecurity and data breaches?