The Tea dating application exposed roughly 72,000 personal photos and government-issued IDs through a basic Firebase misconfiguration. Yes, you read that correctly – IDs were sitting in a publicly accessible bucket that anyone could download with a simple URL. Additionally, newer reports indicate that a separate database containing private messages was also compromised, further amplifying the impact of the breach.
Items that went wrong:
- Default Firebase permissions left wide open.
- Personally Identifiable Information (PII) was stored indefinitely while claiming “immediate deletion”.
- AI-generated code was deployed without an adequate security review.
- Inadequate monitoring across critical endpoints.
- No authentication required for sensitive data access.
Wake-up call for businesses
- Know where your data lives – Can you list systems storing customer PII?
- Implement access controls – Enforce MFA where applicable, and monitor who’s accessing sensitive information.
- Audit app configurations – Cloud storage buckets, APIs, and third-party integrations may be running in production with misconfigurations, prompting a security incident that could be prevented through simple measures.
- Monitor anomalies – more than 59GB of data was exfiltrated, and nobody realized until 4chan users posted about it. Alerts should be in place before the malicious actors have a chance to celebrate.
Brutal reality:
This attack was not sophisticated or at a nation-state level. This was an average script kiddie finding an unlocked entry into a doorway. If a large company on the App Store can fail this badly, what does your security posture look like?
Don’t let your company become the next news story and prevent the reputational damage before it becomes a problem.
Think you’re ready for the water?:
Contact NaviSec today to learn how we can assess your threat landscape to keep your environment incident-free.
Sources:
https://www.404media.co/a-second-tea-breach-reveals-users-dms-about-abortions-and-cheating
https://www.404media.co/women-dating-safety-app-tea-breached-users-ids-posted-to-4chan
