Tea App That Claimed to Protect Women Exposes 72,000 IDs in Epic Security Fail

The viral dating-Safety app tea for viral women suffered a huge data breach this week after users discovered on 4chan that the backend database was completely unsecured, no coding, nothing.

The result? More than 72,000 private images – including selfies and government -IDs for user verification – were scraped and distributed online within a few hours. Some were mapped and made searchable. Private DMs were leaked. The app designed to protect women against dangerous men had just exposed his entire user base.

The exposed data, a total of 59.3 GB, including:

• 13,000+ Verification Selfies and IDs issued by the Government
• Tens of thousands of images of messages and public messages
• Id’s dating as recently as 2024 and 2025, which contradicts the claim of tea that the infringement only “concerned”

4Chan users initially placed the files, but even after the original thread was removed, automated scripts kept scraping data. On decentralized platforms such as Bittorrent, once it is out, it is out forever.

From viral app to total collapse

Tea had just hit #1 in the App Store and rode a wave of virality with more than 4 million users. The pitch: a space only for women to ‘gossip’ about men for safety purposes, although critics saw it as a ‘man-abrasing’ platform wrapped in empowerment branding.

One Reddit user in summary De Schadenfreude: “Create an app -oriented app for the doxxen of men from envy. Eventually accidentally the female customers doxxxxxt. I think it’s great.”

Verification required users to upload a government ID and Selfie, supposedly to keep fake accounts and non-women out. Now those documents are in the wild.

The company told 404 Media That “[t]His data was originally stored in accordance with legislative enforcement requirements with regard to cyberbully prevention. “

Decrypt reached but has not yet received an official answer.

The Dulprit: ‘vibe coding’

This is what the OG -Hacker wrote. “This is what happens when you entrust your personal information to a set atmosphere coding dei Hires.”

“Vibe coding” is when developers type “me a dating app” in chatgpt or another ai -chatbot and send what comes out. No security assessment, no understanding of what the code actually does. Just vibes.

Apparently the FireBase inge of Tea had no authentication because that is what AI tools generate as standard. “No authentication, nothing. It’s a public bucket,” said the original Leaker.

It can be a mood coding, or just poor coding. Anyway, the exaggerated dependence on generative AI is only increasing.

This is not an isolated incident. Earlier in 2025 the founder of Saastrous looked at his AI agent to delete The full production database of the company during a “vibe coding” session. The agent then made fake accounts, generated hallucinated data and lied about it in the logs.

Generally, researchers from Georgetown University found 48% of the code generated by AI contains exploitable errors, but 25% of the Y combina tartups Use AI For their core functions.

So although coding atmosphere is effective for incidental use, and technical colosses such as Google and Microsoft pray the AI gospel assertion Their chatbots build an impressive part of their code, the average user and small entrepreneurs can be safer to adhere to human coding – or at least to judge very, very heavily.

“Vibe coding is great, but the code that generates these models is full of security holes and can easily be hacked,” warned computer scientist Santiago Valdarrama on social media.

The problem gets worse with “Slopsquats. “AI proposes packages that do not exist, hackers then make those packages filled with malignant code and developers install them without checking.

Tea -users scramble and some IDs already appear on searchable cards. Registration for credit monitoring can be a good idea for users who try to prevent further damage.