Out of curiosity I downloaded the larger size one - 200+GB I think (not at my computer right now) and skim through it every now and then. It's depressing - so much toxicity. Everyone seems mentally ill to me - male and female. This is a world completely alien to me and the people close to me.
kbelder · 23h ago
Right, "a pox on both their houses". The leakers, the people using the app, the men, the women, all seem gross. There are innocent men and women swept up in this, but it just seems like an unsavory neighborhood of the internet that people should avoid.
WD-42 · 22h ago
That’s how I see it. There’s so much negativity surrounding this entire app - best to avoid interacting with it in any way on either side.
monkeywork · 21h ago
I don't look down on the leakers any more than I would with any other security breach being released (I certainly didn't hear people using this same language of disgust over say 4chan being hacked or back in the day when Ashley Madison was hacked).
For me the only people I'm looking at with disgust is those who were using said app... it was a gossip cesspool with no way to verify any of the claims being said and a breeding pool for hateful posts against people you dislike.
The meme floating around of "I joined a site to dox and spread personal info about people got hacked and now my personal information is being spread around waahhahaaa" is pretty damn accurate and makes me not feel bad for them at all.
seec · 7h ago
It seems like it was an app made to enable the worst of women's behavior. In that way it seems like it was very successful to me.
Of course, in reality such behavior is rarely conductive to anything good; I guess they got what's coming.
The whole concept of dating apps is so toxic, shallow and just plain bad. It's like choosing people as if they were products on a shelf.
runsWphotons · 21h ago
Sounds like Reddit
Loughla · 22h ago
Believe it or not, the Internet has not helped people be better in many cases. Sometimes it enables the worst of our personalities to really shine through.
theshrike79 · 14h ago
It used to be so that the Village Crazy got called crazy and either they figured out "shit, I'm crazy" and toned it down or they just lived alone being crazy.
Now the Village Crazy can find others with their exact flavour of crazy online and think that it's cool and everyone is doing it. Then they get deeper and deeper into their crazy, maybe transitioning into other flavours of crazy.
aydyn · 22h ago
Absolutely. Its funny when people on HN unironically claim this site to be a tiny miraculous exception.
swat535 · 10h ago
The worst part is that God forbid the genders were reversed and you had a male only app to discuss their relationships.
The app would be banned within a few seconds and 90% of people here would celebrate it.
Majority of people assume the following:
1. Men don't deserve to have private spaces
2. Men can't be victims of abuse (sexual, physical or else)
3. Men don't need to be protected from toxic relationships
4. Women don't need to ask men for consent
Men here refers to all men, including trans men, homosexuals, bisexuals, heterosexuals, etc.
Perhaps, it's time that we have an honest discussion about the realities of living in the world as a man in 2025.
If you're reading this and find my comment in bad taste, or that it frustrates you, I highly encourage that you take sometimes and introspect as to why you feel that way.
seec · 7h ago
I'm glad, I'm not the only one feeling this way. My experience lately has been that if you are a man, you are just bad, regardless of if your behavior is actually condemnable or not.
Worse than that, if you speak against any of the nonsense coming to you, you are extra bad.
And they are surprised that fertility has fallen all over the place, seems like intended objective to me.
frollogaston · 21h ago
This really is the most friendly forum I've been on that isn't something ultra-specific like crownvic.net
chrisg23 · 19h ago
I'm new here but I agree. The ratio of discussions to arguments here is like the inverse of most large forums.
Its not perfect of course, neither am I.
aydyn · 5h ago
Sure if you agree with the majority you don't run into a lot of toxicity.
But centering your ideological bubble is its own form of toxicity that is enabled by the internet.
frollogaston · 5h ago
There are a lot of things I disagree with the majority on here. But it's more like in a real life convo, most disagreements don't need to turn into huge debates in the first place, let alone result in name-calling and group-shaming.
aydyn · 5h ago
> There are a lot of things I disagree with the majority on here
Such as? Are any of those disagreements ideological?
frollogaston · 5h ago
I don't like any tech gadgets, don't care a lot about digital privacy, prefer imperial measurements, think dynamic types are the best for high-level code, am opposed to ipv6, think Golang is pointless, want an official Linux desktop OS (not just kernel) to exist, think adults shouldn't be playing video games. And have said all those things repeatedly here.
If that all sounds too non-spicy, well, even mentioning the smaller things like JS vs TS on a mainstream Reddit page got people calling me a moron and my comment hidden because the score got too low. If I said it on a different page, maybe it would've been +100 score and everyone disagreeing with me booted instead, but that's not any better. Learned quickly not to bother with there.
HN isn't really a place for plain political discussions, so I don't participate in those. They do exist though, and end up getting locked. I'd probably be more right-wing than most.
aydyn · 4h ago
Right, try participating in one of those political discussions here and see what happens.
Also using reddit as a baseline is like using a cesspool tank as a baseline of sanitation.
frollogaston · 4h ago
I've read through them here, they're not bad at all. There's a majority opinion, and people are disagreeing, but there's real content there instead of campaign slogans and insults. But HN rules say it's not for politics, so I avoid participating.
So what is your non-cesspool forum example that isn't Reddit? Twitter seemingly got taken over by bots early on, Facebook pages were a disaster at least when I was in college, and those are the big ones.
aydyn · 3h ago
I think its worth saying that its a gradation, some places are better than others with HN tending to the better. But fundamentally, I don't think large non-toxic forums exist.
X optimizes for engagement and as studies have shown, that means optimizing for rage bait.
Reddit optimizes for rage bait too but includes a voting system that hides unpopular opinions, so any person that conflicts with the majority is marginalized. So on top of being full of rage bait, its an echo-chamber and that is before even talking about the powermod problem.
HN is much like reddit in style, so fundamentally HN also tends towards an echo chamber.
And by echo chamber, I mean a cringe circle jerk: a New Yorker article called it "performative erudition".
frollogaston · 1h ago
HN doesn't feel like Reddit, yes there are votes but it's one page and a totally different algo, and different user base. Guess we have different levels of satisfaction with that.
Gotta say though, it's rich hearing this from New Yorker.
7thaccount · 21h ago
Is that a forum for people with crown Victoria vehicles?
frollogaston · 21h ago
Yeah. I'm not signed up there, just end up finding advice and docs there often if I'm fixing something on my Vic.
claudiulodro · 21h ago
Was not expecting to see crownvic.net on HN! Definitely the best and friendliest resource for the Panther platform!
frollogaston · 21h ago
The Panthers show up when you least expect them.
whamlastxmas · 11h ago
Honestly I saw more petty drama on the Toyota Yaris forums than I ever do here
frollogaston · 5h ago
I'm guessing this is 99% because the Yaris has a stickshift option and someone went on the forums to dunk on automatic users
jasonm23 · 21h ago
s/Sometimes/By default/
jamal-kumar · 21h ago
There is the AWDTSG social media groups that this app shamelessly took the idea from in an attempt to monetize it, and the thing is that these groups probably serve the exact same function just fine without egregious mistakes in the name of move fast and break things techbro profit like 'exposed s3 buckets a literal child could have found' regardless of anyone's opinion on whether they should exist or not
There's also the fact that the big story in the USA right now is how some app got hacked exposing everyones IDs and the big story in the UK right now is that they want everyone to enforce ID verification for literally everything and they want people to think this is somehow safe and not just a time bomb waiting to blow
catlikesshrimp · 21h ago
To add something useful, I have been in mental asylums. There are physically dangerous people who aren't full of negative emotions. Most psychiatric patients don't have ill feelings towards others in general, only toward themselves.
I have no idea why many hateful minds meet in places like that you mention; maybe it is some specific interactions that spark the noxious emotions, but I am no expert. It is similar to highschool extremely cool kid circles and fraternities, only for reverse reasons (alone together vs in a group)
senectus1 · 20h ago
I dont know if this is just my 50 yr old view of the world... but imho there is a lot this going around.
Workmates, family, people of the streets and in shops. just so much angry toxic people. it's like a cultural change (am in Australia btw).
its not everybody but its a definitely larger number than I remember in the past few decades.
throwanem · 23h ago
Miłosz would recognize it, I think.
tempnew · 21h ago
The poet? Murti-bing pills?
dzonga · 23h ago
where from ? so I can explore too ?
marethyu · 22h ago
All I can find is this magnet link: magnet:?xt=urn:btih:brl45s3ysyotj6ljolmtnrlvfmyv4y7s&dn=tea&xl=59368985613&fc=57794 but this is not 200gb one...
igor47 · 23h ago
imho, as much as i like firebase, i think the design encourages this kind of broken security model. the default is open-to-the-world with credentials in the client app. setting up firebase permissions is kind of a pain.
in the traditional db world, at least your db creds live on the server-side app.
frollogaston · 23h ago
Firebase's DB (Firestore) being almost default-allow is even funnier, and that was the core functionality from the start, leading to tons of huge breaches over the years. At least a public file bucket is a more valid use case, except I'm guessing they left the "list files" permission open. Edit: Oh, chat DB is probably Firestore, so they left that open too, nice.
Having used it several times, yeah I wouldn't entrust it to a dev team. It's gotten better lately but still seems like the gun is always pointed at your foot.
It's to this kind of quality engineering that they want me to entrust my ID so I can watch pr0n or insult a politician online. Jesus.
frollogaston · 21h ago
Are they specifically using Firebase for that? I'm not saying GCP is unsafe in general, just Firebase.
darth_avocado · 22h ago
I wonder why I learnt “deny by default is a good starting point” in an undergraduate computer science course decades ago.
xorcist · 12h ago
The ones that did lost in the marketplace against the competitor which was more plug-and-play.
True story.
sudoshred · 20h ago
My naive understanding is that is the same approach taught in introductory law school.
moomoo11 · 22h ago
bro going to university is so overrated, just start vibe coding xD
/s btw
moomoo11 · 22h ago
I'm a fan of rolling actual databases, but please don't blame Firebase.
The is completely the fault of the people who made that app.
They have no fucking idea how to build systems if they can't figure out how to lock down Firebase. It isn't that hard.
Source: Multiple Firebase apps back in the day.
tbrownaw · 21h ago
No, hazardous defaults can be a source of fault for the entity providing them.
moomoo11 · 16h ago
Ok but it’s not like pg can’t stop you from doing something dumb.
There are probably countless new projects today that are storing plaintext passwords, or not adding scoping, and so on.
Putting in scopes and ensuring data security for both users and system wide is on the developer.
frollogaston · 5h ago
It's hard to screw up Postgres to the extent that your entire DB is made fully accessible by all users. This has happened many times with Firebase apps, for over a decade.
You could have a SQL injection vuln, but any SQL lib will very clearly steer you to parameterized queries, and even then such a vuln takes some expertise to find and exploit.
moomoo11 · 3h ago
That’s simply not true. I remember working with a startup founder who had Jerry rigged some crap shit together with gpt a year ago.
I was able to access his data by simply accessing it figuring out his URL and other stuff. I told him to use supabase or DO deployment and set up proper roles and stuff…
I think you’re being way too charitable honestly and it’s dangerous. I won’t join you on that path of absolving the developer of any blame.
They don’t read the docs and they didn’t care simply put. Any production system needs to be tested especially if it will have PII data.
frollogaston · 3h ago
Don't get me wrong, there is still such a thing as a bad dev. If this startup founder actually wrote an entire app using GPT and it had such vulns, I'm pretty sure he'd mess up the Firebase ACLs too.
BoorishBears · 20h ago
I blame Firebase, this is the 2nd app I saw get owned this way in the last 2 weeks, similar complete break-in including user data
moomoo11 · 16h ago
Their docs literally show how to prevent this. It’s part of the tutorial even iirc.
But sure blame firebase lol
frollogaston · 5h ago
The variable here is Firebase, the same devs don't have these issues on other platforms. If users are reading and fully understanding the manual before setting things up, that's great, it can be default-deny and tell them how to selectively open things.
moomoo11 · 3h ago
Again simply not true. Sorry I’m gonna move on.
Y’all can continue making excuses for people leaking PII. Peace.
dlcarrier · 23h ago
This is why I immediately nope out of anything that requests a copy of a photo ID.
dom96 · 22h ago
Then how do you live in this world? You cannot avoid providing a copy of your photo ID to someone at some point in your life.
We really need some sort of standard for sharing specific and limited authenticated info about ourselves to third-party websites that doesn't require sharing a full photo ID.
fc417fc802 · 22h ago
You can't avoid it, but you can choose to refuse unless there is a legitimate need for it. Very few brick and mortar interactions require it, and at least historically a copy wasn't retained but rather verified on the spot by the business agent.
We really don't need a standard for sharing it online, at least nothing easy for businesses to implement. There are very few legitimate scenarios for an online service to ask for that. Online pharmacy, online signup with a bank, and online government interactions are the only that immediately come to mind.
I'm not even sure that the pharmacy case is legitimate now that I think about it. I don't need ID when I go in person. The prescriber can validate the mailing address for them.
tempnew · 21h ago
If you need to buy Sudafed in a pharmacy you need a drivers license, and I believe they record the information somehow. Presumably online alcohol or marijuana sales would also require some retained evidence that a dl was presented. Maybe car insurance too.
dlcarrier · 13h ago
I show it to people, when needed, but don't send out copies.
hn_acc1 · 22h ago
Sure, if I'm applying for a mortgage, or boarding an airplane.
Just to register for one-more-app / one-more-webboard? Nope.
WD-42 · 22h ago
You use judgement. I’d upload my id to a passport renewal site provided by the govt.
Some private app for rating other human beings? Nope.
tough · 21h ago
you have higher trust in your government IT services than I do on mine
WD-42 · 21h ago
Well I hope you didn’t trust this particular private app!
BobaFloutist · 2h ago
I mean if my government IT services are idiots they could easily leak a digital copy of my ID without me having to provide said digital copy.
Providing a digital copy of my ID to someone who otherwise would have no copy of my ID, digital or otherwise, is a different matter.
djoldman · 21h ago
This is a great question.
I dislike it to such a degree that I try to avoid services that require it.
Sometimes, however, it's worth trying to access services without giving the ID and just saying oh I'd like to keep that private or just not providing it and submitting an application for services without it.
Additionally, try to apply in person as often they'll accept paper.
It doesn't work in the majority of situations but it's worth a try.
gruez · 21h ago
Any sort of fintech (including crypto exchanges) is going to require photo ID scans (and possibly even some sort of live selfie stream, to make sure the scan isn't from some leak) for KYC reasons.
rsync · 4h ago
Our common, accepted knowledge - and what we should demand - is that all KYC be concentrated in actual banks.
Actual banks (not fintech barnacles) enjoy a very privileged position in terms of verifying identity and legal mechanisms afforded to them.
If a non-bank actor can verify against an actual bank, that should be enough…
It is absurd that, for instance, a small saas/iaas provider should perform any form of KYC when we can match a successful payment against a bank.
tbrownaw · 21h ago
Last time I did a certification exam (CKA) I had to provide an ID to the online proctoring people.
klipklop · 22h ago
Seems like Western governments are pushing for this to be the default to interact with almost any website soon enough. You know, to "protect the children." Soon you will have to nope out of the entire internet.
iszomer · 23h ago
Especially the IRS? eg, ID.me?
zamadatix · 22h ago
Most people don't actually require ID.me to deal with the IRS, even if e-filing.
frollogaston · 22h ago
If you lost your last return and need to request a transcript, I think it's your only option
fc417fc802 · 22h ago
I mean yeah, I'm extremely uncomfortable with commercial ID solutions when accessing government services. When I can I even avoid government websites that have captchas or other third party resources on them but that's becoming increasingly unworkable. It's absurd that I should be required to leak my personal information to third parties in order to make use of a government service (ie something with no competition that I am legally obligated to use).
For the IRS it doesn't even make sense because I can drop paper forms in the mail. Don't need any ID whatsoever for that.
iszomer · 21h ago
I don't trust dropping any PII/payment-related forms in the mail either, stemmed from a recent experience in which a NYC's DoF had used my information to pay for services on my behalf without authorization.
paulpauper · 23h ago
maybe AI will become good enough to create realistic IDs
mg794613 · 23h ago
"Worsens" is relative.
Discovery of heinous defamation circles, doesn't sound like something to look away from or feel sorry for.
fn-mote · 22h ago
> doesn't sound like something to look away from
Frankly, I don’t waste my time online with toxic behavior. In real life, I might have a response. Online, it is too hard to get an idea if the interaction is even sincere.
mg794613 · 22h ago
You're completely right, sorry, I meant more for authorities, not you or me.
deepfriedchokes · 22h ago
So this is an app where people defame others? Would these leaked communications expose their users to libel charges?
Gigachad · 22h ago
I doubt it if they were private communications.
Perceval · 20h ago
Even private written communications can be libel if they are false and injure the reputation of the subject.
mensetmanusman · 18h ago
Not as part of a mass hack where one could just argue it’s fake data.
whamlastxmas · 11h ago
It isn’t that straight forward. If you wrote it and it got published, it still counts as published even if you didn’t publish it yourself. The crux of libel is that you made it permanent somehow by writing it.
Gigachad · 10h ago
Who's to say you wrote it and that the hackers didn't just insert that in the dataset?
jc4p · 20h ago
Hi all, i'm the security researcher mentioned in the article -- just to be clear:
1. The leak Friday was from firebase's file storage service
2. This one is about their firebase database service also being open (up until Saturday morning)
The tl;dr is:
1. App signed up using Firebase Auth
2. App traded Firebase Auth token to API for API token
3. API talked to Firebase DB
The issue is you could just take the Firebase Auth key, talk to Firebase directly, and they had the read/write/update/delete permissions open to all users so it opened up an IDOR exploit.
I pulled the data Friday night to have evidence to prove the information wasn't old like the previous leak and immediately reached out to 404media.
And to be 100% clear, the data in this second "leak" is a 300MB JSON file that (hopefully) only exists on my computer, but I did see evidence that other people were communicating with the Firebase database directly.
If anyone is interested in the how: I signed up against Firebase Auth using a dummy email and password, retrieved an idToken, sent it into the script generated by this Claude convo: https://claude.ai/share/2c53838d-4d11-466b-8617-eae1a1e84f56
Yes! haha! But hopefully I have a good enough support group and connections that I'll be ok if that happens, I just really wanted to prove that they were not being honest when they said it was data prior to 2024.
shkkmo · 17h ago
Doesn't that Gemini summary gist tie usernames to pretty specific highly personal non-public stories? That seems like a significant violation of ethical hacking principles.
jc4p · 16h ago
They're anonymous usernames the app had them make and they were told don't use anything shared elsewhere and I googled and there's not any uniquely identifiable people from any of them.
They seem generic enough that I think it's okay, but you're right there is no need in including them and I should've caught that in the AI output, thank you!!
frollogaston · 5h ago
I don't see the need for the AI output to begin with. Normally pen-testers just demonstrate breaches, this is more like exposing what users do on the app.
shkkmo · 6h ago
I think including specific stories is already an ethical hacking violation.
Including the pseudonyms associated with those stories creates unnecessary risk of, and arguably incentive for those individuals.
I also just don't get the mindset of dumping something like this into an AI tool for a summary. You say "a 300MB JSON file that (hopefully) only exists on my computer" but then exposed part of that data to generate an AI summary.
Having the file on your computer is questionable enough but not treating it as something private to be professionally protected is IMHO another ethical violation.
exabrial · 22h ago
I think it's wrong to upload someone's photo without their consent or knowledge, but I don't think this is right either.
joshdavham · 21h ago
This is correct. While I’m not sad about Tea’s most toxic users being exposed, there were likely also many innocent women caught in the crossfire who likely just signed up out curiosity.
nsksl · 22h ago
Live by the sword.
general1726 · 22h ago
Tea app looks like Kiwi farms, but for girls.
water-data-dude · 7h ago
"The platform states that selfies were not deleted as expected to comply with law enforcement requirements related to cyber-bullying prevention."
This is why laws that say "just give websites your photo ID! It's for the safety of the children!" are concerning
fruitworks · 22h ago
At what point do you just pull the plug out of the wall
singleshot_ · 22h ago
> This information was stored in accordance with law enforcement requirements related to cyber-bullying investigations.
Citation, anyone?
realsolipsist · 11h ago
Well that’s it. I can’t sneed.
cmxch · 20h ago
Consider advocating for data privacy that makes Tea a nonstarter?
booleandilemma · 22h ago
What happened with this app feels like karma.
OutOfHere · 22h ago
Yet, the app is alive and thriving. For some reason, Google and Apple are protecting it.
monkeywork · 21h ago
because news articles and media are putting out this narrative that the site was a "safety tool" that was critical in allowing women to "protect themselves", instead of what it actually was: a gossip and hate-spewing site with zero oversight/recourse for anyone who is being slandered.
The app stores haven't pulled it because they are waiting for this to flow out of the news cycle and reduce the impact of this subset of our culture freaking out at them.
cwmoore · 21h ago
You are now permanently banned from /r/TwoXChromosomes
frollogaston · 21h ago
Say I were single and ended up being slandered on that site, what would happen? Sounds like the users on there are not the kind I'd want near me anyway.
npteljes · 8h ago
The outcome is very hard to determine, because we don't know your goals and circumstances. Focusing on the downsides,
1. Wrt/ dating, the obvious downside is that your potential partner is dissuaded from dating you because of what is said on the platform.
2. I can also see vigilante justice; an extremist reaction to what is said on the platform. Actual violence, or just harassment, online or real life.
3. Or, I can see corporations using these databases on the down low to filter potential employees, similar to how they screen online presence as well.
Of course, all of these are just potential risks, not things that actually happen(ed yet).
_--__--__ · 21h ago
There is no safe amount of attention from people who spend their time sharing 'drama' online. The most extreme example is the kiwifarms lolcow stuff, but even very normal and boring internet 'microcelebs' learn the hard way that some insane person somewhere will decide they don't like you and go out of their way to interfere with your life and relationships.
monkeywork · 20h ago
That's the equiv of saying I don't need privacy because I have nothing to hide.
Just because you don't want anything to do with the type of people who would post pictures of you and slander / shit talk you doesn't mean that you should want that being out there to begin with - it's not like that sort of thing hasn't ever been weaponized against someone before.
The worst part is with this app there is a high chance you'd never find out that anything was ever said about you until the snowball is so big that it'll crush any attempt to slow it down.
frollogaston · 5h ago
Guess this is too theoretical for me to worry. This app was up for years, I was wondering if they ever coordinated an attack on someone other than just avoiding him.
And yeah, I am trusting certain companies like Apple with some of my data to some extent.
booleandilemma · 20h ago
Imagine being shadow banned from dating.
frollogaston · 19h ago
That's only if the normal women are on that website. Which could happen, but sounds like it was a weird place.
tough · 21h ago
if the US govt had told the company to get their shit together or close up after the first leak, the second one wouldn't have happened
cmxch · 20h ago
They wouldn’t protect it if it were a male oriented dating safety app.
monkeywork · 19h ago
because there is no subset of our current culture that would go scorched earth on them over the removal.
They aren't so much picking sides based on their moral compass more picking sides to induce the least harm to bottom line.
OutOfHere · 9h ago
> picking sides to induce the least harm to bottom line.
This is why Google has a large number of scam dating apps on its app store. The apps I refer to are near/complete scams with 99% fake profiles and 1% lured, like the phishers of Myanmar, only these are Western. They bring big money in.
seec · 5h ago
Even apps that are not strictly for dating are full of scams, a lot of catfishing is going on with a ton of onlyfans egirl type of profile.
A while ago (about 3 years), I downloaded a ton of apps made (allegedly) to meet new people in cities you don't know (I was going to spend about 3 weeks at a friend and he would be busy with his job); Meet with Locals types of apps.
I shit you not, the vast majority were filled with scam profiles and a lot of what I assume is escort services/soft prostitution and whatnot.
So, I just deleted them all and just met people the old-fashioned way (which was just fine, not sure technology has a real use case for that); but it was an eye-opener.
scarmig · 19h ago
<tinfoil>Google is invested in ratcheting up the war behind the sexes, because it atomizes people and makes them prime targets for an upcoming companion AI product.</tinfoil>
thefz · 16h ago
Now reverse sexes and imagine if such an app would be allowed to exist in the first place
budududuroiu · 21h ago
While I think this app is disgusting, it’s kinda interesting to see the outrage that this app generated.
Kiwifarms never gets this level of outrage going, and I’d argue it’s an order of magnitude more toxic to society than Tea would be
yanderekko · 21h ago
KF never topped the app store charts, nor had the widespread defense that Tea did.
mcosta · 10h ago
Cloudflare blocked Kiwifarms. Now and then I read some group trying to boycott Kiwifarms.
For me the only people I'm looking at with disgust is those who were using said app... it was a gossip cesspool with no way to verify any of the claims being said and a breeding pool for hateful posts against people you dislike.
The meme floating around of "I joined a site to dox and spread personal info about people got hacked and now my personal information is being spread around waahhahaaa" is pretty damn accurate and makes me not feel bad for them at all.
Of course, in reality such behavior is rarely conductive to anything good; I guess they got what's coming.
The whole concept of dating apps is so toxic, shallow and just plain bad. It's like choosing people as if they were products on a shelf.
Now the Village Crazy can find others with their exact flavour of crazy online and think that it's cool and everyone is doing it. Then they get deeper and deeper into their crazy, maybe transitioning into other flavours of crazy.
The app would be banned within a few seconds and 90% of people here would celebrate it.
Majority of people assume the following:
1. Men don't deserve to have private spaces
2. Men can't be victims of abuse (sexual, physical or else)
3. Men don't need to be protected from toxic relationships
4. Women don't need to ask men for consent
Men here refers to all men, including trans men, homosexuals, bisexuals, heterosexuals, etc.
Perhaps, it's time that we have an honest discussion about the realities of living in the world as a man in 2025.
If you're reading this and find my comment in bad taste, or that it frustrates you, I highly encourage that you take sometimes and introspect as to why you feel that way.
Worse than that, if you speak against any of the nonsense coming to you, you are extra bad. And they are surprised that fertility has fallen all over the place, seems like intended objective to me.
Its not perfect of course, neither am I.
But centering your ideological bubble is its own form of toxicity that is enabled by the internet.
Such as? Are any of those disagreements ideological?
If that all sounds too non-spicy, well, even mentioning the smaller things like JS vs TS on a mainstream Reddit page got people calling me a moron and my comment hidden because the score got too low. If I said it on a different page, maybe it would've been +100 score and everyone disagreeing with me booted instead, but that's not any better. Learned quickly not to bother with there.
HN isn't really a place for plain political discussions, so I don't participate in those. They do exist though, and end up getting locked. I'd probably be more right-wing than most.
Also using reddit as a baseline is like using a cesspool tank as a baseline of sanitation.
So what is your non-cesspool forum example that isn't Reddit? Twitter seemingly got taken over by bots early on, Facebook pages were a disaster at least when I was in college, and those are the big ones.
X optimizes for engagement and as studies have shown, that means optimizing for rage bait.
Reddit optimizes for rage bait too but includes a voting system that hides unpopular opinions, so any person that conflicts with the majority is marginalized. So on top of being full of rage bait, its an echo-chamber and that is before even talking about the powermod problem.
HN is much like reddit in style, so fundamentally HN also tends towards an echo chamber.
And by echo chamber, I mean a cringe circle jerk: a New Yorker article called it "performative erudition".
Gotta say though, it's rich hearing this from New Yorker.
There's also the fact that the big story in the USA right now is how some app got hacked exposing everyones IDs and the big story in the UK right now is that they want everyone to enforce ID verification for literally everything and they want people to think this is somehow safe and not just a time bomb waiting to blow
I have no idea why many hateful minds meet in places like that you mention; maybe it is some specific interactions that spark the noxious emotions, but I am no expert. It is similar to highschool extremely cool kid circles and fraternities, only for reverse reasons (alone together vs in a group)
Workmates, family, people of the streets and in shops. just so much angry toxic people. it's like a cultural change (am in Australia btw).
its not everybody but its a definitely larger number than I remember in the past few decades.
in the traditional db world, at least your db creds live on the server-side app.
Having used it several times, yeah I wouldn't entrust it to a dev team. It's gotten better lately but still seems like the gun is always pointed at your foot.
Also GCP, storing secrets properly in AppEngine is notoriously difficult and prone to accidental git-commit: https://stackoverflow.com/questions/58371905/how-to-handle-s...
True story.
/s btw
The is completely the fault of the people who made that app.
They have no fucking idea how to build systems if they can't figure out how to lock down Firebase. It isn't that hard.
Source: Multiple Firebase apps back in the day.
There are probably countless new projects today that are storing plaintext passwords, or not adding scoping, and so on.
Putting in scopes and ensuring data security for both users and system wide is on the developer.
You could have a SQL injection vuln, but any SQL lib will very clearly steer you to parameterized queries, and even then such a vuln takes some expertise to find and exploit.
I was able to access his data by simply accessing it figuring out his URL and other stuff. I told him to use supabase or DO deployment and set up proper roles and stuff…
I think you’re being way too charitable honestly and it’s dangerous. I won’t join you on that path of absolving the developer of any blame.
They don’t read the docs and they didn’t care simply put. Any production system needs to be tested especially if it will have PII data.
But sure blame firebase lol
Y’all can continue making excuses for people leaking PII. Peace.
We really need some sort of standard for sharing specific and limited authenticated info about ourselves to third-party websites that doesn't require sharing a full photo ID.
We really don't need a standard for sharing it online, at least nothing easy for businesses to implement. There are very few legitimate scenarios for an online service to ask for that. Online pharmacy, online signup with a bank, and online government interactions are the only that immediately come to mind.
I'm not even sure that the pharmacy case is legitimate now that I think about it. I don't need ID when I go in person. The prescriber can validate the mailing address for them.
Just to register for one-more-app / one-more-webboard? Nope.
Some private app for rating other human beings? Nope.
Providing a digital copy of my ID to someone who otherwise would have no copy of my ID, digital or otherwise, is a different matter.
I dislike it to such a degree that I try to avoid services that require it.
Sometimes, however, it's worth trying to access services without giving the ID and just saying oh I'd like to keep that private or just not providing it and submitting an application for services without it.
Additionally, try to apply in person as often they'll accept paper.
It doesn't work in the majority of situations but it's worth a try.
Actual banks (not fintech barnacles) enjoy a very privileged position in terms of verifying identity and legal mechanisms afforded to them.
If a non-bank actor can verify against an actual bank, that should be enough…
It is absurd that, for instance, a small saas/iaas provider should perform any form of KYC when we can match a successful payment against a bank.
For the IRS it doesn't even make sense because I can drop paper forms in the mail. Don't need any ID whatsoever for that.
Discovery of heinous defamation circles, doesn't sound like something to look away from or feel sorry for.
Frankly, I don’t waste my time online with toxic behavior. In real life, I might have a response. Online, it is too hard to get an idea if the interaction is even sincere.
1. The leak Friday was from firebase's file storage service
2. This one is about their firebase database service also being open (up until Saturday morning)
The tl;dr is:
1. App signed up using Firebase Auth
2. App traded Firebase Auth token to API for API token
3. API talked to Firebase DB
The issue is you could just take the Firebase Auth key, talk to Firebase directly, and they had the read/write/update/delete permissions open to all users so it opened up an IDOR exploit.
I pulled the data Friday night to have evidence to prove the information wasn't old like the previous leak and immediately reached out to 404media.
Here is a gist of Gemini 2.5 Pro summarizing 10k random posts: https://gist.github.com/jc4p/7c8ce9a7392f2cbc227f9c6a4096111...
And to be 100% clear, the data in this second "leak" is a 300MB JSON file that (hopefully) only exists on my computer, but I did see evidence that other people were communicating with the Firebase database directly.
If anyone is interested in the how: I signed up against Firebase Auth using a dummy email and password, retrieved an idToken, sent it into the script generated by this Claude convo: https://claude.ai/share/2c53838d-4d11-466b-8617-eae1a1e84f56
And here's the output of that script (any db that has <100 rows is something another "hacker" wrote to and deleted from): https://gist.github.com/jc4p/bc35138a120715b92a1925f54a9d8bb...
They seem generic enough that I think it's okay, but you're right there is no need in including them and I should've caught that in the AI output, thank you!!
Including the pseudonyms associated with those stories creates unnecessary risk of, and arguably incentive for those individuals.
I also just don't get the mindset of dumping something like this into an AI tool for a summary. You say "a 300MB JSON file that (hopefully) only exists on my computer" but then exposed part of that data to generate an AI summary.
Having the file on your computer is questionable enough but not treating it as something private to be professionally protected is IMHO another ethical violation.
This is why laws that say "just give websites your photo ID! It's for the safety of the children!" are concerning
Citation, anyone?
The app stores haven't pulled it because they are waiting for this to flow out of the news cycle and reduce the impact of this subset of our culture freaking out at them.
1. Wrt/ dating, the obvious downside is that your potential partner is dissuaded from dating you because of what is said on the platform.
2. I can also see vigilante justice; an extremist reaction to what is said on the platform. Actual violence, or just harassment, online or real life.
3. Or, I can see corporations using these databases on the down low to filter potential employees, similar to how they screen online presence as well.
Of course, all of these are just potential risks, not things that actually happen(ed yet).
Just because you don't want anything to do with the type of people who would post pictures of you and slander / shit talk you doesn't mean that you should want that being out there to begin with - it's not like that sort of thing hasn't ever been weaponized against someone before.
The worst part is with this app there is a high chance you'd never find out that anything was ever said about you until the snowball is so big that it'll crush any attempt to slow it down.
And yeah, I am trusting certain companies like Apple with some of my data to some extent.
They aren't so much picking sides based on their moral compass more picking sides to induce the least harm to bottom line.
This is why Google has a large number of scam dating apps on its app store. The apps I refer to are near/complete scams with 99% fake profiles and 1% lured, like the phishers of Myanmar, only these are Western. They bring big money in.
A while ago (about 3 years), I downloaded a ton of apps made (allegedly) to meet new people in cities you don't know (I was going to spend about 3 weeks at a friend and he would be busy with his job); Meet with Locals types of apps.
I shit you not, the vast majority were filled with scam profiles and a lot of what I assume is escort services/soft prostitution and whatnot.
So, I just deleted them all and just met people the old-fashioned way (which was just fine, not sure technology has a real use case for that); but it was an eye-opener.
Kiwifarms never gets this level of outrage going, and I’d argue it’s an order of magnitude more toxic to society than Tea would be