TLDR: The women-only dating app “Tea” has experienced a significant data breach, compromising over 72,000 user records, including government IDs, selfies, and private messages. The breach was attributed to an unsecured backend database and the use of AI-generated code without adequate security reviews, a practice dubbed “vibe coding.” This incident highlights growing concerns about data protection and the security risks associated with AI-generated code, with research indicating a high percentage of such code contains exploitable flaws.
A major security lapse has hit “Tea,” a popular women-only dating safety app, leading to the exposure of more than 72,000 user records. The compromised data includes highly sensitive information such as government-issued identification, personal selfies, and private direct messages. The breach, initially brought to light by users on 4chan, revealed that the app’s backend database was left entirely unsecured, lacking essential safeguards like passwords, encryption, or authentication protocols.
The leaked data, totaling a substantial 59.3 GB, encompasses approximately 13,000 verification selfies and IDs, tens of thousands of user-generated images, and private messages dating as recently as 2024 and 2025. This contradicts earlier statements from Tea, which had claimed the breach only involved “old data,” underscoring a critical failure in their security infrastructure. The app, which once topped the App Store charts with 4 million users, was marketed as a secure environment for women to discuss romantic relationships. However, this incident has exposed sensitive user information, raising serious concerns about potential identity theft and harassment. Verification documents, including government IDs, are now reportedly searchable on decentralized platforms like BitTorrent, where automated scripts continue to disseminate the data even after the original 4chan thread was removed.
The root cause of Tea’s security failure has been linked to “vibe coding,” a development practice where engineers heavily rely on AI tools, such as ChatGPT, to generate code without conducting thorough security reviews. The hacker responsible for uncovering the vulnerability noted that Tea’s Firebase bucket was configured by default to be publicly accessible, entirely lacking authentication. While this approach may expedite development, it leaves applications highly susceptible to exploitation.
Also Read:
- Security Flaw Exposes Amazon’s AI Coding Assistant ‘Q’ to Malicious Code Injection
- AI Ecosystems Face Mounting Threats from LLM Plugin Vulnerabilities
Researchers from Georgetown University have issued a stark warning, indicating that 48% of AI-generated code contains exploitable flaws. Despite this, a significant 25% of Y Combinator startups are reportedly utilizing such code for core features of their applications. Cybersecurity experts, including Santiago Valdarrama, have voiced strong criticism of this trend, emphasizing that AI-generated code frequently lacks the necessary safeguards to prevent data breaches. The incident has ignited public outrage and raised questions regarding Tea’s adherence to data protection regulations. The company has yet to provide a detailed timeline of the breach or outline specific mitigation steps, further fueling skepticism among users and the public.
