By John Gruber
Hello Weather: super useful forecasts, powered by the best weather data on Earth.
- Security Breach at Tea Worsens, Revealing Users’ DMs About Abortions and Cheating
-
Emanuel Maiberg and Joseph Cox, reporting again for 404 Media:
Despite Tea’s initial statement that “the incident involved a legacy data storage system containing information from over two years ago,” the second issue impacting a separate database is much more recent, affecting messages up until last week, according to the researcher’s findings that 404 Media verified. The researcher said they also found the ability to send a push notification to all of Tea’s users.
It’s hard to overstate how sensitive this data is and how it could put Tea’s users at risk if it fell into the wrong hands. When signing up, Tea encourages users to choose an anonymous screenname, but it was trivial for 404 Media to find the real world identities of some users given the nature of their messages, which Tea has led them to believe were private. Users could be easily found via their social media handles, phone numbers, and real names that they shared in these chats. These conversations also frequently make damning accusations against people who are also named in the private messages and in some cases are easy to identify. [...]
Some of the private messages viewed by 404 Media include:
- One user tells another they just discovered their husband on the app being discussed. “I am his wife,” many of the messages say.
- Another appears to show a woman contacting others about a man she is engaged to.
- Multiple messages which appear to show women discussing their abortions.
- Chat logs between women discovering they are dating the same man, exchanging information such as what car he drives for verification.
When I linked to 404 Media’s coverage of the initial breach at Tea the other day, I wrote, “I’m not accusing Tea in particular of being vibe-coded”. Well, I still don’t know if Tea’s service architecture was vibe-coded, but it’s now clear that whoever made it was shamefully incompetent. They shouldn’t have made any sort of services backend, let alone one like Tea’s that’s intended to carry incredibly sensitive personal information and messages.
This is an outright privacy — and quite possibly, personal security — disaster. With the abortion discussions and the current bifurcation of women’s rights here in the US, it could be a legal disaster, too. 4chan clowns have taken the images and data and created maps of Tea users’ addresses, and a Mark-Zuckerberg-“Facemash”-style site for ranking users’ appearance.
For women who’ve already signed up and started using Tea, I doubt there’s anything that can be done to remove them from exposure. Even if Tea offers a “delete your account” feature, I wouldn’t trust that it actually deletes anything from their database, let alone everything. And the cat’s already out of the bag for any bad actors who figured out this second exploit before Tea was alerted.
Yet another data point for the argument that any “private messaging” feature that doesn’t use E2EE isn’t actually private at all.
★ Monday, 28 July 2025