The Tea app’s knowledge breach has grown into a fair larger leak, with stolen knowledge being shared on hacking boards, and the second database is alleged to comprise 1.1 million non-public messages exchanged between members of the app.
The TEA app is a female-only relationship security platform the place members can share evaluations about males, with entry to platforms granted solely after offering selfies and authorities identification verification.
On Friday, an nameless consumer posted it on 4chan. Tea used an unsecured Firebase storage bucket to retailer driver licenses and selfies to make sure that members add to be sure that the lady is a lady and to see the photographs shared within the feedback.
The consumer shared a Python script that can be utilized to obtain knowledge from the presently configured storage bucket.
In whole, greater than 59 GB of knowledge has been uncovered to the leak, confirming tea in an official assertion that it’ll have an effect on customers who signed up earlier than 2024.
“Legacy knowledge storage system has been compromised, inflicting unauthorized entry to datasets since earlier than February 2024,” reads the announcement of the safety breaches.
“This dataset comprises roughly 72,000 pictures containing roughly 13,000 selfies and photograph identifications submitted by customers throughout account verification, and roughly 59,000 pictures that may be revealed on the app from posts, feedback and direct messages.”
The platform says that selfies weren’t eliminated to adjust to legislation enforcement necessities associated to self-bullying prevention.
Menace officers at the moment are starting to share torrents of leaked knowledge on hacking boards, doubtlessly exposing app members to social engineering assaults.
BleepingComputer has confirmed that the shared knowledge comprises driver licenses, selfies and message attachments.
Worse, 404 Media stories that an extra database has been discovered containing 1.1 million non-public messages despatched between customers on the TEA platform.
The database comprises rather more current knowledge starting from 2023 to final week, and stories embrace messages discussing delicate matters similar to abortion, misconduct and two-timing boyfriends.
Kasra Rahjerdi, a researcher who found the brand new database, informed 404 Media that TEA customers can entry saved consumer knowledge utilizing their API keys.
In line with 404 Media, customers might be recognized primarily based on social media profiles, cellphone numbers, or different private info revealed within the message.
What was meant to be a secure area for ladies has now created a “Facesmash” model website that’s embarrassing, and even creates a “Facesmash” model website the place guests can charge selfies uncovered to leaked knowledge.
Tea says they proceed to work with third-party cybersecurity consultants to comprise incidents and perform investigations into the assault.
The app additionally notifies legislation enforcement companies that assist the investigation.