Tea and TeaonHer were hit by major data breaches.
Both Tea and TeaOnHer are facing serious legal troubles, as issues have escalated over the past two weeks. According to NBC News, Tea, which launched in 2023, has been hit with 10 potential class-action lawsuits in both federal and state courts following two major data breaches: one that occurred on July 25 and another that attacked the app on July 29.
In the first breach, nearly 72,000 images, including selfies and government IDs submitted by users for verification purposes, were exposed. Around 59,000 of those images were shared along with private conversations, posts, and comments shared by users on the app. The second breach exposed more than “1.1 million user direct messages, spanning from early 2023 to last month,” NBC News noted.
The lawsuits accuse Tea of negligence in handling user data and violating its contractual obligations to users. Legal experts suggest that the lawsuits could result in Tea being forced to pay tens of millions of dollars in damages, a blow that could prove devastating for the company.
Meanwhile, TeaOnHer is also facing a wave of legal scrutiny. On Aug. 13, TechCrunch reported that the app had significant security vulnerabilities that exposed users’ personal data, including sensitive documents like driver’s licenses, selfies, emails, and other government-issued IDs used for verification during signup. The leak reportedly occurred sometime between Aug. 4 and Aug. 6.
TechCrunch reported that a major flaw in the app’s API landing page was identified, which contained detailed documentation that allowed anyone—whether a regular user or an app administrator—to perform unauthorized actions on the app’s backend server. The documentation, powered by a tool called Swagger UI, essentially laid out a “master list” of commands, including those for creating new users, verifying identity documents, and moderating content, the outlet noted. Most concerning was the ability to query the app’s backend and pull user data without any authentication, meaning that sensitive information could be accessed by anyone with the technical know-how, without the need for passwords or credentials.
While it’s common for developers to publish API documentation, the issue here was that some of these commands could be executed without proper security measures, putting users’ private data at significant risk. This flaw was publicly visible, making it even more alarming that the data was so easily accessible.
“The records returned from TeaOnHer’s server contained users’ unique identifiers within the app (essentially a string of random letters and numbers), their public profile screen name, and self-reported age and location, along with their private email address,” TechCrunch reported. “The records also included web address links containing photos of the users’ driver’s licenses and corresponding selfies.”
The data breach point has since been fixed on TeaOnHer, according to the Tribune, and Tea has launched an investigation into the leak that exploded on their app, NPR noted.
“As part of our ongoing investigation into the cybersecurity incident involving the Tea App, we learned that some direct messages (DMs) were accessed as part of the initial incident,” a representative from the company said in a statement. “Out of an abundance of caution, we have taken the affected system offline. At this time, we have found no evidence of access to other parts of our environment.”
The company stated that only users who registered before February 2024 were impacted.
RELATED CONTENT: Burned Out By Dating Apps? More Singles Are Paying Thousands To Find Love
Great Job Shannon Dawson & the Team @ MadameNoire Source link for sharing this story.
