Tea's data breach shows why you should be wary of new apps — especially in the AI era

In an era where mobile applications are proliferating, the recent data breach involving the Tea app serves as a stark warning about the vulnerabilities of new platforms. Tea, an app designed for women to anonymously review men, faced a significant security incident last month that compromised the privacy of thousands of users. According to cybersecurity expert Michael Coates, this breach revealed sensitive data that many believed was secure, exposing it to anyone savvy enough to exploit it. The breach resulted in the unauthorized access of approximately 72,000 images, including personal selfies and driver's licenses. Disturbingly, these images found their way onto platforms like 4chan, and within days, the sensitive information spread across various corners of the web. Users' locations were mapped out, and even a site emerged where Tea users' verification selfies were juxtaposed for ranking. But it wasn't just images at risk. Security researcher Kasra Rahjerdi disclosed that he managed to access over 1.1 million private direct messages exchanged between users on the app. These messages contained deeply personal conversations about topics such as divorce, abortion, and infidelity. The incident underscores a crucial point: just because users assume their data is secure doesn’t guarantee its protection, especially with newer applications. As Rahjerdi aptly noted, sharing information with an app is akin to confiding in a chatty coworker; that information may not remain confidential for long. Isaac Evans, CEO of Semgrep, echoed these sentiments, recalling a similar issue during his time at MIT when a directory containing student names and IDs was inadvertently left accessible online. Despite such risks, many individuals continue to share sensitive information with new apps. Remarkably, even after the breach, Tea maintained a high ranking in the Apple App Store, sitting at number four behind major apps like ChatGPT and Threads. The implications of this breach raise pressing concerns about the security of emerging applications, particularly in the AI landscape. As users become increasingly comfortable sharing private details with AI-driven platforms, the potential for mishaps grows. A notable example occurred with Meta's AI app, where users inadvertently shared personal interactions on a public feed. The trend of 'vibe coding,' where developers use generative AI to create and refine code, has also raised alarms among security experts. This approach, while popular among tech startups, could lead to significant vulnerabilities in applications. Brandon Evans from the SANS Institute cautioned that vibe coding might generate more insecure applications, especially as developers prioritize speed over security. As the landscape of app development evolves, consumers must be vigilant about the data they share. Evans emphasizes the importance of considering the worst-case scenarios when providing information to these organizations. With the rise of AI, which can be leveraged by adversaries for nefarious purposes, the risk of data breaches is likely to escalate. The Tea app incident is a reminder that as new technologies emerge, so too do the challenges of ensuring data security.