Out of curiosity I downloaded the larger size one - 200+GB I think (not at my computer right now) and skim through it every now and then. It's depressing - so much toxicity. Everyone seems mentally ill to me - male and female. This is a world completely alien to me and the people close to me.
kbelder · 4h ago
Right, "a pox on both their houses". The leakers, the people using the app, the men, the women, all seem gross. There are innocent men and women swept up in this, but it just seems like an unsavory neighborhood of the internet that people should avoid.
WD-42 · 4h ago
That’s how I see it. There’s so much negativity surrounding this entire app - best to avoid interacting with it in any way on either side.
monkeywork · 3h ago
I don't look down on the leakers any more than I would with any other security breach being released (I certainly didn't hear people using this same language of disgust over say 4chan being hacked or back in the day when Ashley Madison was hacked).
For me the only people I'm looking at with disgust is those who were using said app... it was a gossip cesspool with no way to verify any of the claims being said and a breeding pool for hateful posts against people you dislike.
The meme floating around of "I joined a site to dox and spread personal info about people got hacked and now my personal information is being spread around waahhahaaa" is pretty damn accurate and makes me not feel bad for them at all.
runsWphotons · 3h ago
Sounds like Reddit
slg · 3h ago
There is something offputting about the condescending nature of this comment as if the admission that you downloaded and poked through the private personal data of thousands of people just "out of curiosity" wouldn't be viewed by some as "completely alien" and borderline "mentally ill" behavior.
This is the type of story that is almost perfectly calibrated to reveal a lot of the biases of a place like HN and this specific comment is a great example of that.
AuthAuth · 2h ago
Its public info, you cant cover your eyes and pretend it doesnt exist right there for everyone to see. Thats the reason why leaks are so bad.
neilv · 1h ago
If someone gets beaten up and left in the street, and, consequently, their wallet is laying right there beside their unconscious body, is it OK for you to take their wallet?
I mean, you can't pretend the wallet isn't right there, for everyone to see, just begging for someone to take it? This is why beatdowns are so wrong? The person who takes the wallet is as much a victim as anyone? Blame society?
GloomyBoots · 34m ago
This feels like a very dated metaphor. When my older brother introduced me Napster, was I actually rifling through Lars Ulrich’s wallet and shaking out mp3s?
In this case, a clone of the wallet has been preserved for all and sundry to peruse. Is it really wrong as a genuinely curious person not to pretend it isn’t there?
There’s a lot to be said about privacy on the Internet. I don’t think there’s much to be gained by attacking those who, out of genuine curiosity, don’t abide by the same polite fictions as the rest of us. I dont like browsing random strangers’ PII. I tend to hope those who do show due respect. And don’t see any sign of malice in GP.
Loughla · 4h ago
Believe it or not, the Internet has not helped people be better in many cases. Sometimes it enables the worst of our personalities to really shine through.
aydyn · 3h ago
Absolutely. Its funny when people on HN unironically claim this site to be a tiny miraculous exception.
frollogaston · 3h ago
This really is the most friendly forum I've been on that isn't something ultra-specific like crownvic.net
chrisg23 · 1h ago
I'm new here but I agree. The ratio of discussions to arguments here is like the inverse of most large forums.
Its not perfect of course, neither am I.
7thaccount · 3h ago
Is that a forum for people with crown Victoria vehicles?
frollogaston · 3h ago
Yeah. I'm not signed up there, just end up finding advice and docs there often if I'm fixing something on my Vic.
claudiulodro · 3h ago
Was not expecting to see crownvic.net on HN! Definitely the best and friendliest resource for the Panther platform!
frollogaston · 2h ago
The Panthers show up when you least expect them.
jasonm23 · 3h ago
s/Sometimes/By default/
jamal-kumar · 3h ago
There is the AWDTSG social media groups that this app shamelessly took the idea from in an attempt to monetize it, and the thing is that these groups probably serve the exact same function just fine without egregious mistakes in the name of move fast and break things techbro profit like 'exposed s3 buckets a literal child could have found' regardless of anyone's opinion on whether they should exist or not
There's also the fact that the big story in the USA right now is how some app got hacked exposing everyones IDs and the big story in the UK right now is that they want everyone to enforce ID verification for literally everything and they want people to think this is somehow safe and not just a time bomb waiting to blow
catlikesshrimp · 3h ago
To add something useful, I have been in mental asylums. There are physically dangerous people who aren't full of negative emotions. Most psychiatric patients don't have ill feelings towards others in general, only toward themselves.
I have no idea why many hateful minds meet in places like that you mention; maybe it is some specific interactions that spark the noxious emotions, but I am no expert. It is similar to highschool extremely cool kid circles and fraternities, only for reverse reasons (alone together vs in a group)
throwanem · 5h ago
Miłosz would recognize it, I think.
tempnew · 3h ago
The poet? Murti-bing pills?
dzonga · 5h ago
where from ? so I can explore too ?
marethyu · 3h ago
All I can find is this magnet link: magnet:?xt=urn:btih:brl45s3ysyotj6ljolmtnrlvfmyv4y7s&dn=tea&xl=59368985613&fc=57794 but this is not 200gb one...
senectus1 · 2h ago
I dont know if this is just my 50 yr old view of the world... but imho there is a lot this going around.
Workmates, family, people of the streets and in shops. just so much angry toxic people. it's like a cultural change (am in Australia btw).
its not everybody but its a definitely larger number than I remember in the past few decades.
fsckboy · 4h ago
or, these are normies, emotional people who let their feelings out, and you hang around other aspies who are convinced that rationality is the one true god and feelings must be controlled, suppressed, denied. there's no way to tell from your persective, i'm just saying there's two sides to this story, in addition to the 2 sides (M vs F) that you mention.
reactordev · 3h ago
Nah, as a middle aged person at the bottom of the dating pool, there’s a lot of delusional thinking. A lot. A lot a lot. For example, me: 42, divorced, not rich but not poor - six figure income, her: 36, was “career oriented” but now feels like she missed the boat on kids; her: “If you don’t propose within the first 3 months, you’re not interested in marriage, just wasting time.” Also her: “A man is supposed to take care of me.” Again her: “what’s his is mine and what’s mine is mine”. This is the delusional thinking that exists in the dating world. That some rich Prince Charming is going to come save the hard working but hard partying girl who just realized she’s a woman.
I deleted my apps and will just eventually die alone.
wredcoll · 2h ago
I think the important thing is to generalize from this one experience and apply sweeping stereotypes to massivr groups of people.
frollogaston · 1h ago
It's not right, but the real average is a kinda tough situation too, not anyone's fault really. Most family-oriented women aren't waiting til 36, most younger women aren't dating with 10+ year age gap, being divorced makes it harder no matter what the reason is. I have some relatives dealing with this.
reactordev · 1h ago
Yup - I’ll just wait for someone else’s marriage to fall apart and then I’ll find my person :D
pureagave · 3h ago
This is such a fair read on the situation in America. Hang in there man. You can escape it but you need to leave the country.
reactordev · 3h ago
I’m waiting for my own EU savior to give me safe passage :D we all have our delusions. Come here on vacation… partially fluent in Spanish, English, and can get by with French, German, Italian, Portuguese.
9cb14c1ec0 · 3h ago
Rather than dying alone, find a robust offline community of people, and seek a partner there.
igor47 · 5h ago
imho, as much as i like firebase, i think the design encourages this kind of broken security model. the default is open-to-the-world with credentials in the client app. setting up firebase permissions is kind of a pain.
in the traditional db world, at least your db creds live on the server-side app.
frollogaston · 4h ago
Firebase's DB (Firestore) being almost default-allow is even funnier, and that was the core functionality from the start, leading to tons of huge breaches over the years. At least a public file bucket is a more valid use case, except I'm guessing they left the "list files" permission open. Edit: Oh, chat DB is probably Firestore, so they left that open too, nice.
Having used it several times, yeah I wouldn't entrust it to a dev team. It's gotten better lately but still seems like the gun is always pointed at your foot.
It's to this kind of quality engineering that they want me to entrust my ID so I can watch pr0n or insult a politician online. Jesus.
frollogaston · 3h ago
Are they specifically using Firebase for that? I'm not saying GCP is unsafe in general, just Firebase.
darth_avocado · 4h ago
I wonder why I learnt “deny by default is a good starting point” in an undergraduate computer science course decades ago.
sudoshred · 2h ago
My naive understanding is that is the same approach taught in introductory law school.
moomoo11 · 4h ago
bro going to university is so overrated, just start vibe coding xD
/s btw
moomoo11 · 4h ago
I'm a fan of rolling actual databases, but please don't blame Firebase.
The is completely the fault of the people who made that app.
They have no fucking idea how to build systems if they can't figure out how to lock down Firebase. It isn't that hard.
Source: Multiple Firebase apps back in the day.
tbrownaw · 3h ago
No, hazardous defaults can be a source of fault for the entity providing them.
BoorishBears · 1h ago
I blame Firebase, this is the 2nd app I saw get owned this way in the last 2 weeks, similar complete break-in including user data
mg794613 · 5h ago
"Worsens" is relative.
Discovery of heinous defamation circles, doesn't sound like something to look away from or feel sorry for.
fn-mote · 4h ago
> doesn't sound like something to look away from
Frankly, I don’t waste my time online with toxic behavior. In real life, I might have a response. Online, it is too hard to get an idea if the interaction is even sincere.
mg794613 · 3h ago
You're completely right, sorry, I meant more for authorities, not you or me.
deepfriedchokes · 4h ago
So this is an app where people defame others? Would these leaked communications expose their users to libel charges?
Gigachad · 4h ago
I doubt it if they were private communications.
Perceval · 2h ago
Even private written communications can be libel if they are false and injure the reputation of the subject.
mensetmanusman · 45m ago
Not as part of a mass hack where one could just argue it’s fake data.
dlcarrier · 5h ago
This is why I immediately nope out of anything that requests a copy of a photo ID.
dom96 · 4h ago
Then how do you live in this world? You cannot avoid providing a copy of your photo ID to someone at some point in your life.
We really need some sort of standard for sharing specific and limited authenticated info about ourselves to third-party websites that doesn't require sharing a full photo ID.
fc417fc802 · 4h ago
You can't avoid it, but you can choose to refuse unless there is a legitimate need for it. Very few brick and mortar interactions require it, and at least historically a copy wasn't retained but rather verified on the spot by the business agent.
We really don't need a standard for sharing it online, at least nothing easy for businesses to implement. There are very few legitimate scenarios for an online service to ask for that. Online pharmacy, online signup with a bank, and online government interactions are the only that immediately come to mind.
I'm not even sure that the pharmacy case is legitimate now that I think about it. I don't need ID when I go in person. The prescriber can validate the mailing address for them.
tempnew · 3h ago
If you need to buy Sudafed in a pharmacy you need a drivers license, and I believe they record the information somehow. Presumably online alcohol or marijuana sales would also require some retained evidence that a dl was presented. Maybe car insurance too.
hn_acc1 · 4h ago
Sure, if I'm applying for a mortgage, or boarding an airplane.
Just to register for one-more-app / one-more-webboard? Nope.
WD-42 · 4h ago
You use judgement. I’d upload my id to a passport renewal site provided by the govt.
Some private app for rating other human beings? Nope.
tough · 3h ago
you have higher trust in your government IT services than I do on mine
WD-42 · 3h ago
Well I hope you didn’t trust this particular private app!
djoldman · 3h ago
This is a great question.
I dislike it to such a degree that I try to avoid services that require it.
Sometimes, however, it's worth trying to access services without giving the ID and just saying oh I'd like to keep that private or just not providing it and submitting an application for services without it.
Additionally, try to apply in person as often they'll accept paper.
It doesn't work in the majority of situations but it's worth a try.
gruez · 3h ago
Any sort of fintech (including crypto exchanges) is going to require photo ID scans (and possibly even some sort of live selfie stream, to make sure the scan isn't from some leak) for KYC reasons.
tbrownaw · 3h ago
Last time I did a certification exam (CKA) I had to provide an ID to the online proctoring people.
klipklop · 4h ago
Seems like Western governments are pushing for this to be the default to interact with almost any website soon enough. You know, to "protect the children." Soon you will have to nope out of the entire internet.
paulpauper · 4h ago
maybe AI will become good enough to create realistic IDs
iszomer · 4h ago
Especially the IRS? eg, ID.me?
zamadatix · 4h ago
Most people don't actually require ID.me to deal with the IRS, even if e-filing.
frollogaston · 4h ago
If you lost your last return and need to request a transcript, I think it's your only option
fc417fc802 · 4h ago
I mean yeah, I'm extremely uncomfortable with commercial ID solutions when accessing government services. When I can I even avoid government websites that have captchas or other third party resources on them but that's becoming increasingly unworkable. It's absurd that I should be required to leak my personal information to third parties in order to make use of a government service (ie something with no competition that I am legally obligated to use).
For the IRS it doesn't even make sense because I can drop paper forms in the mail. Don't need any ID whatsoever for that.
iszomer · 3h ago
I don't trust dropping any PII/payment-related forms in the mail either, stemmed from a recent experience in which a NYC's DoF had used my information to pay for services on my behalf without authorization.
jc4p · 2h ago
Hi all, i'm the security researcher mentioned in the article -- just to be clear:
1. The leak Friday was from firebase's file storage service
2. This one is about their firebase database service also being open (up until Saturday morning)
The tl;dr is:
1. App signed up using Firebase Auth
2. App traded Firebase Auth token to API for API token
3. API talked to Firebase DB
The issue is you could just take the Firebase Auth key, talk to Firebase directly, and they had the read/write/update/delete permissions open to all users so it opened up an IDOR exploit.
I pulled the data Friday night to have evidence to prove the information wasn't old like the previous leak and immediately reached out to 404media.
And to be 100% clear, the data in this second "leak" is a 300MB JSON file that (hopefully) only exists on my computer, but I did see evidence that other people were communicating with the Firebase database directly.
If anyone is interested in the how: I signed up against Firebase Auth using a dummy email and password, retrieved an idToken, sent it into the script generated by this Claude convo: https://claude.ai/share/2c53838d-4d11-466b-8617-eae1a1e84f56
Yes! haha! But hopefully I have a good enough support group and connections that I'll be ok if that happens, I just really wanted to prove that they were not being honest when they said it was data prior to 2024.
exabrial · 4h ago
I think it's wrong to upload someone's photo without their consent or knowledge, but I don't think this is right either.
joshdavham · 3h ago
This is correct. While I’m not sad about Tea’s most toxic users being exposed, there were likely also many innocent women caught in the crossfire who likely just signed up out curiosity.
nsksl · 3h ago
Live by the sword.
general1726 · 4h ago
Tea app looks like Kiwi farms, but for girls.
fruitworks · 3h ago
At what point do you just pull the plug out of the wall
booleandilemma · 4h ago
What happened with this app feels like karma.
OutOfHere · 3h ago
Yet, the app is alive and thriving. For some reason, Google and Apple are protecting it.
monkeywork · 3h ago
because news articles and media are putting out this narrative that the site was a "safety tool" that was critical in allowing women to "protect themselves", instead of what it actually was: a gossip and hate-spewing site with zero oversight/recourse for anyone who is being slandered.
The app stores haven't pulled it because they are waiting for this to flow out of the news cycle and reduce the impact of this subset of our culture freaking out at them.
cwmoore · 3h ago
You are now permanently banned from /r/TwoXChromosomes
frollogaston · 3h ago
Say I were single and ended up being slandered on that site, what would happen? Sounds like the users on there are not the kind I'd want near me anyway.
monkeywork · 2h ago
That's the equiv of saying I don't need privacy because I have nothing to hide.
Just because you don't want anything to do with the type of people who would post pictures of you and slander / shit talk you doesn't mean that you should want that being out there to begin with - it's not like that sort of thing hasn't ever been weaponized against someone before.
The worst part is with this app there is a high chance you'd never find out that anything was ever said about you until the snowball is so big that it'll crush any attempt to slow it down.
_--__--__ · 2h ago
There is no safe amount of attention from people who spend their time sharing 'drama' online. The most extreme example is the kiwifarms lolcow stuff, but even very normal and boring internet 'microcelebs' learn the hard way that some insane person somewhere will decide they don't like you and go out of their way to interfere with your life and relationships.
booleandilemma · 1h ago
Imagine being shadow banned from dating.
frollogaston · 1h ago
That's only if normal women are on that website. Which could happen, but sounds like it was a weird place.
tough · 3h ago
if the US govt had told the company to get their shit together or close up after the first leak, the second one wouldn't have happened
scarmig · 1h ago
<tinfoil>Google is invested in ratcheting up the war behind the sexes, because it atomizes people and makes them prime targets for an upcoming companion AI product.</tinfoil>
cmxch · 2h ago
They wouldn’t protect it if it were a male oriented dating safety app.
monkeywork · 50m ago
because there is no subset of our current culture that would go scorched earth on them over the removal.
They aren't so much picking sides based on their moral compass more picking sides to induce the least harm to bottom line.
cmxch · 2h ago
Consider advocating for data privacy that makes Tea a nonstarter?
singleshot_ · 4h ago
> This information was stored in accordance with law enforcement requirements related to cyber-bullying investigations.
Citation, anyone?
budududuroiu · 3h ago
While I think this app is disgusting, it’s kinda interesting to see the outrage that this app generated.
Kiwifarms never gets this level of outrage going, and I’d argue it’s an order of magnitude more toxic to society than Tea would be
yanderekko · 3h ago
KF never topped the app store charts, nor had the widespread defense that Tea did.
For me the only people I'm looking at with disgust is those who were using said app... it was a gossip cesspool with no way to verify any of the claims being said and a breeding pool for hateful posts against people you dislike.
The meme floating around of "I joined a site to dox and spread personal info about people got hacked and now my personal information is being spread around waahhahaaa" is pretty damn accurate and makes me not feel bad for them at all.
This is the type of story that is almost perfectly calibrated to reveal a lot of the biases of a place like HN and this specific comment is a great example of that.
I mean, you can't pretend the wallet isn't right there, for everyone to see, just begging for someone to take it? This is why beatdowns are so wrong? The person who takes the wallet is as much a victim as anyone? Blame society?
In this case, a clone of the wallet has been preserved for all and sundry to peruse. Is it really wrong as a genuinely curious person not to pretend it isn’t there?
There’s a lot to be said about privacy on the Internet. I don’t think there’s much to be gained by attacking those who, out of genuine curiosity, don’t abide by the same polite fictions as the rest of us. I dont like browsing random strangers’ PII. I tend to hope those who do show due respect. And don’t see any sign of malice in GP.
Its not perfect of course, neither am I.
There's also the fact that the big story in the USA right now is how some app got hacked exposing everyones IDs and the big story in the UK right now is that they want everyone to enforce ID verification for literally everything and they want people to think this is somehow safe and not just a time bomb waiting to blow
I have no idea why many hateful minds meet in places like that you mention; maybe it is some specific interactions that spark the noxious emotions, but I am no expert. It is similar to highschool extremely cool kid circles and fraternities, only for reverse reasons (alone together vs in a group)
Workmates, family, people of the streets and in shops. just so much angry toxic people. it's like a cultural change (am in Australia btw).
its not everybody but its a definitely larger number than I remember in the past few decades.
I deleted my apps and will just eventually die alone.
in the traditional db world, at least your db creds live on the server-side app.
Having used it several times, yeah I wouldn't entrust it to a dev team. It's gotten better lately but still seems like the gun is always pointed at your foot.
Also GCP, storing secrets properly in AppEngine is notoriously difficult and prone to accidental git-commit: https://stackoverflow.com/questions/58371905/how-to-handle-s...
/s btw
The is completely the fault of the people who made that app.
They have no fucking idea how to build systems if they can't figure out how to lock down Firebase. It isn't that hard.
Source: Multiple Firebase apps back in the day.
Discovery of heinous defamation circles, doesn't sound like something to look away from or feel sorry for.
Frankly, I don’t waste my time online with toxic behavior. In real life, I might have a response. Online, it is too hard to get an idea if the interaction is even sincere.
We really need some sort of standard for sharing specific and limited authenticated info about ourselves to third-party websites that doesn't require sharing a full photo ID.
We really don't need a standard for sharing it online, at least nothing easy for businesses to implement. There are very few legitimate scenarios for an online service to ask for that. Online pharmacy, online signup with a bank, and online government interactions are the only that immediately come to mind.
I'm not even sure that the pharmacy case is legitimate now that I think about it. I don't need ID when I go in person. The prescriber can validate the mailing address for them.
Just to register for one-more-app / one-more-webboard? Nope.
Some private app for rating other human beings? Nope.
I dislike it to such a degree that I try to avoid services that require it.
Sometimes, however, it's worth trying to access services without giving the ID and just saying oh I'd like to keep that private or just not providing it and submitting an application for services without it.
Additionally, try to apply in person as often they'll accept paper.
It doesn't work in the majority of situations but it's worth a try.
For the IRS it doesn't even make sense because I can drop paper forms in the mail. Don't need any ID whatsoever for that.
1. The leak Friday was from firebase's file storage service
2. This one is about their firebase database service also being open (up until Saturday morning)
The tl;dr is:
1. App signed up using Firebase Auth
2. App traded Firebase Auth token to API for API token
3. API talked to Firebase DB
The issue is you could just take the Firebase Auth key, talk to Firebase directly, and they had the read/write/update/delete permissions open to all users so it opened up an IDOR exploit.
I pulled the data Friday night to have evidence to prove the information wasn't old like the previous leak and immediately reached out to 404media.
Here is a gist of Gemini 2.5 Pro summarizing 10k random posts: https://gist.github.com/jc4p/7c8ce9a7392f2cbc227f9c6a4096111...
And to be 100% clear, the data in this second "leak" is a 300MB JSON file that (hopefully) only exists on my computer, but I did see evidence that other people were communicating with the Firebase database directly.
If anyone is interested in the how: I signed up against Firebase Auth using a dummy email and password, retrieved an idToken, sent it into the script generated by this Claude convo: https://claude.ai/share/2c53838d-4d11-466b-8617-eae1a1e84f56
And here's the output of that script (any db that has <100 rows is something another "hacker" wrote to and deleted from): https://gist.github.com/jc4p/bc35138a120715b92a1925f54a9d8bb...
The app stores haven't pulled it because they are waiting for this to flow out of the news cycle and reduce the impact of this subset of our culture freaking out at them.
Just because you don't want anything to do with the type of people who would post pictures of you and slander / shit talk you doesn't mean that you should want that being out there to begin with - it's not like that sort of thing hasn't ever been weaponized against someone before.
The worst part is with this app there is a high chance you'd never find out that anything was ever said about you until the snowball is so big that it'll crush any attempt to slow it down.
They aren't so much picking sides based on their moral compass more picking sides to induce the least harm to bottom line.
Citation, anyone?
Kiwifarms never gets this level of outrage going, and I’d argue it’s an order of magnitude more toxic to society than Tea would be