An app designed to help women identify the “red flags” of men they date has accidentally put its users at risk. 404 Media reported that Chai was hacked by 4chan users Last week, selfies and driver's licenses of users, mostly women, were posted on 4chan as a result. Independent researcher 404 Media have since discovered that messages between users discussing infidelity, abortion and personal phone numbers are also vulnerable to hackers.
Tea was founded by software developer Sean Cook, who said he was inspired to create the anonymous whisper network after witnessing his mother's “horrifying” dates with men. This was also greatly influenced by the growth of “Are we dating the same guy?“Facebook groups and operates in a similar paradigm, sounding anecdotal alarms about men people have dated. Last week, the app's popularity rose to number one in the Apple App Store. Chai claims that more than 4 million active users.
On July 25, 72,000 images, including 13,000 selfies and driver's licenses, and another 59,000 images posted on the app were hacked, many of them downloaded and posted publicly on 4chan. 4chan users initially posted images of four women's driver's licenses, redacting some personal information, but a flurry of comments on the thread revealed that thousands of images had been uploaded before the company learned of the hack. Tea told 404 Media that it has launched a “full investigation with the assistance of external cybersecurity firms” and is cooperating with law enforcement “to assist” in their investigation.
Tea stored its users' sensitive information in Firebase, a back-end cloud storage and computing service owned by Google. As of 2023, Tea will no longer require users to submit photos of their ID for verification purposes. Although the company initially insisted that the hack only affected its “legacy” database and users who signed up before February 2024, according to an independent researcher and a dataset reviewed 404 MediaThe tea remains insecure and extends well beyond the initial hack, with private messages sent as far back as last week being accessible and vulnerable to further exposure.
As the tea's popularity among women has grown, it has drawn even more criticism and anger from so-called “men's rights” groups on the Internet.
Men who discovered they appeared on the app called it “toxic” network. Some of them are going viral on TikTok and X, claiming that the statements made about them are not true. defamatory and completely wrong. “The problem is that people (especially women) won't see this as a problem until a male version of the app is created. I deserve to know my partner's STD history, number of victims, etc,” reads one of the most popular messages. comment in a thread on the r/MensRights subreddit. Shortly after, a female-led response app called Teaborn was created, but it was quickly shut down after users reported it. Publishing revenge porn.
Several cybersecurity and data privacy experts called Tea's storage practices that led to the initial hack downright negligent.
“This data was initially retained to comply with law enforcement requirements related to the prevention of cyberbullying,” the company initially claimed in a statement provided to 404 Media.
Peter Dordahl, professor of online networking and security at Loyola University Chicago, said Edge that he believes the company's claim that it complies with the law is “misleading” and that the company could have done more to prevent this cybersecurity nightmare. “[The statement] is misleading for two reasons: first, law enforcement agencies do not set requirements; that is the job of Congress and state legislatures. Tea did not provide the actual legal requirement,” Dordahl said. “Secondly, if there was a legitimate legal need to preserve these images, they should not have been available online in the first place; they are clearly not needed for normal activities on the site.”
Dordal added that while user data is typically stored in the cloud, Tea had to take steps to ensure it could not be accessed by the public. Terms of sale of tea They also claim to delete user data after verification, which they apparently failed to do.
“Thea certainly had lax security practices if the current reports are true,” said Grant Ho, an assistant professor at the University of Chicago who researches computer security. “A company should never host users’ personal data on a public server and, at a minimum, the data should be stored encrypted.”
Andrew Guthrie Ferguson, a law professor at George Washington University and an expert on big data surveillance, notes that the Internet whisper network is no longer as secure as a real whisper network could be when it is operating offline. Your data is no longer under your control.
“What changes when data becomes digital and can be recovered, stored and searched is that you lose control over it,” Ferguson said. “You can't keep it to the people you trust.”
