Latest news with #TeaOnHer
New York Post
3 days ago
- Entertainment
- New York Post
Controversial app for men to trash talk women hacked — just days after users doxxed on rival site for gals
First came Tea, then came the spill. Weeks after hackers swiped user data from the Tea app — a 'rate your ex' app where women could swap dirt on dud dates — its testosterone-fueled twin, TeaOnHer, has suffered the same fate. Billed as a 'safety' tool, the viral gossip hub let women swap stories about dud dates and potential predators — featuring undercover convos, ID verifications, number lookups and photo sleuthing to expose fake profiles. Advertisement But after simmering quietly for a year, the app boiled over in July 2025, landing in Apple's top three downloads. Not to be outdone, TeaOnHer launched last month — promising men their own place to dish about dates — and shot up the charts right beside its sister app. 3 Just weeks after hackers raided the women-only Tea app, its men-only twin, TeaOnHer, got hit the same way. TeaOnHer Advertisement Hackers struck Tea in July, swiping private chats and ID snaps and posting them on 4chan, as per 404 Media. Slueths followed suit for TeaOnHer last week. TechCrunch said reporters cracked into the sensitive stash in minutes, thanks to an admin panel so wide open it didn't even ask for a login. On August 14, one X user weighed in on how hackers broke in, writing, 'TeaOnHer, the app meant to combat the infamous 'TeaApp', is also a giant dumpster fire. It has been compromised.' 'THE DEVELOPER MADE HIS PASSWORD TO THE ADMIN PANEL 'Password1!'. IT WAS STORED IN PLAIN TEXT ON THE LANDING PAGE. WHAT THE F—K.' Advertisement 3 TeaOnHer hit the App Store last month, giving men their own spot to dish on dates — and quickly shot up the charts alongside its sister app. Buzzer Beaters – Both Tea and TeaOnHer could be staring down class-action lawsuits from users whose private info hit the web, NBC News wrote. Since the original Tea app got busted, Redditors on r/technology have been roasting TeaOnHer for the same sloppy security. Advertisement As reported by The Daily Dot, one user wrote, 'Wait, so they saw what happened with the first app getting 'hacked' and decided, let's store user info in the same negligent way?' Some even wondered if the hack was a sting aimed at outing the men using the app. One tweeted, 'Was this just a revenge project made by the original with the only intention of doxxing some men?' As previously reported by The Post, the initial Tea app had men breaking into a cold sweat — and not over forgetting their wallets on first dates. Users anonymously roasted exes and warned about sketchy dates as the app climbed the App Store charts, sparking a fiery clash between digital safety and online trash talk. 3 After Tea got hacked, Redditors tore into TeaOnHer for repeating the same security fiasco. Tetiana – 'I see men freaking out today about this Tea app,' TikTokker @azalialexi noted in a recent video. 'If you don't want things like this to exist, then maybe look into advocating for women's safety and actually holding your fellow men accountable.' Advertisement This week, TikTok user @ninadoesthemost observed that many women used the Tea app 'to expose people who be doing [domestic violence] and maybe got a restraining order,' or men who have secret children they 'don't show up for.' Men, however, would join TeaOnHer 'for a different reason.' She alleged, 'They're green flagging which girls are easy or good in bed.' Others, however, feared that the concept of both apps had crossed the line into full-blown digital vigilantism. User @ warned viewers on TikTok to 'be careful' with them. Advertisement He added that he could see the 'vision' behind the OG Tea app but stressed that he knew 'how vile' people who might use it could be. 'Hot take: The tea app is toxic,' wrote another, who sent a female friend undercover to snoop on what women were saying about him. 'These women were clearly just upset … I was honest with them and respectful.' Whether it's Tea or TeaOnHer, one thing's clear: in the battle of digital dirt vs. privacy, nobody's coming out unscathed.
Cosmopolitan
3 days ago
- Cosmopolitan
Of Course Men Made Their Own 'Tea' App—Meet "TeaOnHer"
It should come as no great surprise that a platform literally called 'Tea' has brought on weeks of discourse and mass pandemonium. The app/whisper network was created by Sean Cook in 2023, as a measure for straight women to stay safe on the dating scene. Its users can review their experiences with different men and post pictures of guys they're currently involved with, the idea being that other local Tea-denizens can weigh in on their own negative and/or dangerous experiences via the comment section. Since its rise to popularity this summer, the app has seen its fair share of controversies. There have been data leaks, and plenty of questions about the legal privacy concerns. But now there's also an imitator. Earlier this month, a Wario emerged: the counterapp 'TeaOnHer' (super creative name), developed by the Newville Media Corporation, with a tagline to 'help men date safe.' Beyond the obvious gender flip, TeaOnHer has taken other liberties with the OG Tea app's structure. Men can still review women anonymously—women they may or may not have actually dated (there's no verification required to confirm the validity of claims made on either app), but the reviews themselves center around fairly different red flags than the ones you'd run across on Tea. On Tea, posts from users have covered a wide range of cautionary tales. You'll run into plenty of fairly common transgressions: 'he ghosted after the first date' or 'he takes weeks to text back.' These offenses are troubling as far as ego blows go, but you might question whether they warrant such mass exposure. It's the more serious posts—like the ones that flag a man with sexual assault allegations, or the men listed on the app's registered sex offender map—that clarify why there's a need for Tea. Gossip often offers protection. In no shock to anyone who's cautiously shared their location with three to four different people before a first date, casually dating cisgender, straight men can pose extreme threats to someone's physical safety. Naming and shaming key offenders arms women with the information they need to protect themselves. But if you think straight men dating women need a similar platform to air their woes, the offenses you'll find on TeaOnHer don't present a strong case as to why. Most posts read more like generic misogynistic complaints about women, the same kind you can find on any other social platform—just not with a person's picture, age, and legal first name attached. When I downloaded TeaOnHer to find out which alleged female delinquencies were being exposed, I also discovered the sign-up process is more casual in comparison to Tea 1.0. Both apps have you upload a selfie and legal identification. (That step made Tea's data leak all the more dangerous for the users who downloaded the app seeking advice and community in threatening dating situations.) But TeaOnHer lets you browse through profiles before your verifications are complete. So literally anyone (like myself) can read reviews about someone like Ashley, who's made the grave offense of 'being with hella guys,' or Jorden, who one user 'already cracked, but [is] tryna see if she's still outside.' TeaOnHer is being used in a way that undermines Tea's mission (a mission that ran into a drastic security-related hiccup, but was still a mission nonetheless). Its current usership seems more intent on 'evening the score' than helping men date safely. Critics online have called out the fact that the app's existence feels powered by toxic 'not all men' rhetoric. 'We made an app to protect ourselves, and they made one to violate us,' said one TikTok commentator. Others are calling attention to ways women can protect themselves against dangers that TeaOnHer can raise should you get posted: 'If you find your [picture] on there, gather evidence and take it to both criminal and civil court,' another TikTok commenter advised. Everyone deserves to feel safe while dating. If TeaOnHer existed for the sole purpose of providing men with a place to unpack uncomfortable experiences and warn their peers about ways to protect themselves, the app's mission wouldn't be mistaken for something sinister. Unfortunately, the way it's being used in reality—to shame and expose women—endangers more people than it helps. Right now, TeaOnHer—currently the second most downloaded app on the App Store—functions as a disheartening sign that we've reached another chapter in the internet's regressive gender wars. Only time will tell what new set of security issues and dangers will arise for the women it sets out to 'expose.'
Express Tribune
4 days ago
- Business
- Express Tribune
TeaOnHer data breach exposes driver's licences, emails and private messages from app users
TeaOnHer, a dating review app that allows men to post anonymous accounts of women they have dated, has suffered a major data breach, exposing sensitive user information. According to security researchers, the leaked data included driver's licences, selfies, email addresses and private messages. The information was reportedly publicly accessible until earlier this month. The vulnerability was fixed within a week after being reported by TechCrunch. At the time of the breach, TeaOnHer ranked as the second most downloaded free app on Apple's App Store, drawing significant public attention to the incident. This is not the first security issue involving a review-based dating platform. Just weeks earlier, the women-focused Tea app, which operates on a similar model, experienced a breach that exposed identification documents and other personal details of its users. Following that incident, Tea faced a second leak within days, which resulted in the exposure of 1.1 million private messages and forced the company to disable direct messaging on its platform. The latest TeaOnHer breach has prompted discussion among online users about potential legal action, with some suggesting a class action lawsuit against the developers over the repeated exposure of private information. TeaOnHer's developer, Newville Media Corporation, has yet to comment on the situation publicly. The Independent reported that attempts to reach the company by email were unsuccessful. The scale of the leaked material and the timing—coming so soon after a similar incident with Tea—has raised questions among users and privacy advocates about data protection measures and compliance with privacy laws in the dating app industry. Both incidents have also renewed debate over the ethics and security of anonymous review-based dating platforms, with calls from some quarters for stricter regulation and oversight of such services.
Yahoo
4 days ago
- Yahoo
Thousands of users' personal data — including their IDs — were leaked from a popular male revenge dating app
Two apps that claim to help users date safely by sharing information about abusive or dishonest ex-partners have rocketed to the top of Apple's U.S. app store rankings. But as it turns out, both apps suffered from serious security flaws that exposed thousands of users' personal data to the internet. Tea, which became the number one most downloaded app on iPhone in July after going viral, lets women anonymously review men they've dated and bills itself as "the safest place to spill tea". Last week it was joined at the top of the charts by TeaOnHer, a copycat app that offers to "help men date safe" with "verified reports" about "red flags, safety concerns, and positive experiences". As of the time of publishing, TeaOnHer was the second most downloaded free app on the U.S. iPhone App Store, while Tea was the third. Now both apps are facing potential class action lawsuits after hackers and tech journalists discovered that they were spilling a different kind of tea: leaking users' ID documents, selfies, and in some cases emails and private messages. Tea rapidly took action to close the breach — but not before numerous angry (and seemingly mostly male) internet users gleefully downloaded and shared photos and ID documents from women who had used the app, according to 404 Media. Meanwhile, one week after TeaOnHer's breach was discovered by TechCrunch, the issue finally appears to have been fixed. But the company behind it has offered no public comment, nor any indication that it has notified users about their drivers' licenses being leaked. The company behind TeaOnHer also appears to have little web presence, and questions from The Independent to its only publicly accessible email address resulted in an automated bounceback. "It turns out that the kind of people who write and launch an app in less than two weeks are not the kind of people who feel the need to implement secure coding practices and strong privacy protections for the sensitive user data they ask you to upload," said Eva Galperin, director of cybersecurity at the privacy-focused Electronic Frontier Foundation, on Bluesky. The breaches shine a light not only on the dysfunctions of modern dating — and people's hunger for a solution — but also on the ethical quandaries of naming and shaming individual exes online. 'Are men not allowed to protect their reputations and stay safe too?' Tea was first launched in 2023, apparently inspired by "Are We Dating the Same Guy" Facebook groups, which serve as an informal (and sometimes controversial) whisper networks about shady and abusive behavior. "Founder Sean Cook launched Tea after witnessing his mother's terrifying experience with online dating — not only being catfished but unknowingly engaging with men who had criminal records," the app's about page reads. As well as user testimonials, the app allows users to run background checks, check criminal records, and search for sex offenders near them. All posts are anonymous, but the app asks users to take a selfie to prove they are a woman, and in the past has asked for photo ID to verify their identity. "I once had a sexual assault happen when I was younger, and if there had been an app like this I think he would have a lot less victims," wrote one reviewer on Apple's app store. Another claimed that, within a day or two of using the app, she found evidence that a man she was courting was actually already married, leading her to confront him and then dump him. Men who gave positive reviews to much newer TeaOnHer protested that they too need protection from and foreknowledge of unscrupulous dates. "For weeks, women laughed while men were talked about anonymously — true or not — some lied on, and dragged online. But now that the tables are turning, suddenly it's uncomfortable?" wrote one. "Are men not allowed to protect their reputations and stay safe too? Are men the only abusers/liars/cheaters?" But other reviewers expressed alarm at what they found on the app, describing posts more focused on exposing women's sexual pasts than on genuine safety issues. "This isn't accountability, this is misogyny under the guise of concern," said one. 'Under ten minutes' to steal users' ID cards When Tea's data breach was revealed, the app's operators said it had fixed the issue and that it had only affected users who joined before February 2024. Then came a second breach, affecting more recent material and forcing Tea to shut down its direct message function. The people behind TeaOnHer, however, have said nothing. Its maker Newville Media Corporation has no currently functioning website, and neither the company nor its CEO Xavier Lampkin responded to messages from The Independent. TeaOnHer's security was particularly lax. According to TechCrunch, it took less than ten minutes and only 'trivial' effort to access driver's licenses and email addresses, with no password or credentials required. The app requires all users to submit government ID verification, but its App Store page falsely claims not to collect any data from users Apple's rules say that app makers must identify all the data they collect on their App Store page, unless it meets certain exception criteria. The Independent has asked Apple for comment. Solve the daily Crossword
Yahoo
5 days ago
- Yahoo
How we found TeaOnHer spilling users' driver's licenses in less than 10 minutes
For an app all about spilling the beans on who you're allegedly dating, it's ironic that TeaOnHer was spilling the personal information of thousands of its users to the open web. TeaOnHer was designed for men to share photos and information about women they claim to have been dating. But much like Tea, the dating-gossip app for women it was trying to replicate, TeaOnHer had gaping holes in its security that exposed its users' personal information, including photos of their driver's licenses and other government-issued identity documents, as TechCrunch reported last week. These gated community-like apps were created ostensibly to let users share information about their relationships under the guise of personal safety. However, shoddy coding and security flaws highlight the ongoing privacy risks inherent in requiring users to submit sensitive information to use apps and websites. Such risks are only going to worsen; popular apps and web services are already having to comply with age verification laws that require people to submit their identity documents before they can be granted access to adult-themed content, despite the privacy and security risks associated with storing databases of people's personal information. When TechCrunch published our story last week, we did not publish specific details of the bugs we discovered in TeaOnHer, erring on the side of caution so as to not help bad actors exploit the bug. Instead, we decided to publish a limited disclosure, because of the app's rising popularity and the immediate risks that users faced when using the app. As of the time of disclosure, TeaOnHer was #2 in the free app charts on the Apple App Store, a position still held by the app today. The flaws we found appear to be resolved. TechCrunch can now share how we were able to find users' driver's licenses within 10 minutes of being sent a link to the app in the App Store, thanks to easy to find flaws in the app's public-facing backend system, or API. The app's developer, Xavier Lampkin, did not respond to multiple requests for comment after we submitted details of the security flaws, nor would Lampkin commit to notifying affected TeaOnHer users or state regulators of the security lapse. We also asked Lampkin if any security reviews were carried out before the TeaOnHer app was launched, but we got no reply. (We have more on disclosure later on.) Alright, start the clock. TeaOnHer exposed 'admin panel' credentials Before we even downloaded the app, we first wanted to find out where TeaOnHer was hosted on the internet by looking at its public-facing infrastructure, such as its website and anything hosted on its domain. This is usually a good place to start as it helps understand what other services the domain is connected to on the internet. To find the domain name, we first looked (by chance) at the app's listing on the Apple App Store to find the app's website. This can usually be found in its privacy policy, which apps must include before Apple will list them. (The app listing also claims the developer 'does not collect any data from this app,' which is demonstrably false, so take that as you will.) TeaOnHer's privacy policy was in the form of a published Google Doc, which included an email address with a domain, but no website. The website wasn't public at the time, so with no website loading, we looked at the domain's public-facing DNS records, which can help to identify what else is hosted on the domain, such as the type of email servers or web hosting. We also wanted to look for any public subdomains that the developer might use to host functionality for the app (or host other resources that should probably not be public), such as admin dashboards, databases, or other web-facing services. But when we looked at the TeaOnHer's public internet records, it had no meaningful information other than a single subdomain, When we opened this page in our browser, what loaded was the landing page for TeaOnHer's API (for the curious, we uploaded a copy here). An API simply allows things on the internet to communicate with each other, such as linking an app to its central database. It was on this landing page that we found the exposed email address and plaintext password (which wasn't that far off 'password') for Lampkin's account to access the TeaOnHer 'admin panel.' The API page showed that the admin panel, used for the document verification system and user management, was located at 'localhost,' which simply refers to the physical computer running the server and may not have been directly accessible from the internet. It's unclear if anyone could have used the credentials to access the admin panel, but this was in itself a sufficiently alarming finding. At this point, we were only about two minutes in. Otherwise, the API landing page didn't do much other than offer some indication as to what the API can do. The page listed several API endpoints, which the app needs to access in order to function, such as retrieving user records from TeaOnHer's database, for users to leave reviews, and sending notifications. With knowledge of these endpoints, it can be easier to interact with the API directly, as if we were imitating the app itself. Every API is different, so learning how an API works and how to communicate with one can take time to figure out, such as which endpoints to use and the parameters needed to effectively speak its language. Apps like Postman can be helpful for accessing and interacting directly with APIs, but this requires time and a certain degree of trial and error (and patience) to make APIs spit out data when they shouldn't. But in this case, there was an even easier way. TeaOnHer API allowed unauthenticated access to user data This API landing page included an endpoint called /docs, which contained the API's auto-generated documentation (powered by a product called Swagger UI) that contained the full list of commands that can be performed on the API. This documentation page was effectively a master sheet of all the actions you can perform on the TeaOnHer API as a regular app user, and more importantly, as the app's administrator, such as creating new users, verifying users' identity documents, moderating comments, and more. The API documentation also featured the ability to query the TeaOnHer API and return user data, essentially letting us retrieve data from the app's backend server and display it in our browser. While it's not uncommon for developers to publish their API documentation, the problem here was that some API requests could be made without any authentication — no passwords or credentials were needed to return information from the TeaOnHer database. In other words, you could run commands on the API to access users' private data that should not have been accessible to a user of the app, let alone anyone on the internet. All of this was conveniently and publicly documented for anyone to see. Requesting a list of users currently in the TeaOnHer identity verification queue, for example — no more than pressing a button on the API page, nothing fancy here — would return dozens of account records on people who had recently signed up to TeaOnHer. The records returned from TeaOnHer's server contained users' unique identifiers within the app (essentially a string of random letters and numbers), their public profile screen name, and self-reported age and location, along with their private email address. The records also included web address links containing photos of the users' driver's licenses and corresponding selfies. Worse, these photos of driver's licenses, government-issued IDs, and selfies were stored in an Amazon-hosted S3 cloud server set as publicly accessible to anyone with their web addresses. This public setting lets anyone with a link to someone's identity documents open the files from anywhere with no restrictions. With that unique user identifier, we could also use the API page to directly look up individual users' records, which would return their account data and any of their associated identity documents. With uninhibited access to the API, a malicious user could have scraped huge amounts of user data from the app, much like what happened with the Tea app to begin with. From bean to cup, that was about 10 minutes, and we hadn't even logged-in to the app yet. The bugs were so easy to find that it would be sheer luck if nobody malicious found them before we did. We asked, but Lampkin would not say if he has the technical ability, such as logs, to determine if anyone had used (or misused) the API at any time to gain access to users' verification documents, such as by scraping web addresses from the API. In the days since our report to Lampkin, the API landing page has been taken down, along with its documentation page, and it now displays only the state of the server that the TeaOnHer API is running on as 'healthy.' At least on cursory tests, the API now appears to rely on authentication, and the previous calls made using the API no longer work. The web addresses containing users' uploaded identity documents have also been restricted from public view. TeaOnHer developer dismissed efforts to disclose flaws Given that TeaOnHer had no official website at the time of our findings, TechCrunch contacted the email address listed on the privacy policy in an effort to disclose the security lapses. But the email bounced back with an error saying the email address couldn't be found. We also tried contacting Lampkin through the email address on his website, Newville Media, but our email bounced back with the same error message. TechCrunch reached Lampkin via LinkedIn message, asking him to provide an email address where we could send details of the security flaws. Lampkin responded with a general 'support' email address. When TechCrunch discloses a security flaw, we reach out to confirm first that a person or company is the correct recipient. Otherwise, blindly sending details of a security bug to the wrong person could create a risk. Before sharing specific details of the flaws, we asked the recipient of the 'support' email address if this was the correct address to disclose a security exposure involving TeaOnHer user data. 'You must have us confused with 'the Tea app',' Lampkin replied by email. (We hadn't.) 'We don't have a security breach or data leak,' he said. (It did.) 'We have some bots at most but we haven't scaled big enough to be in that conversation yet, sorry you were misinformed.' (We weren't.) Satisfied that we had established contact with the correct person (albeit not with the response we received), TechCrunch shared details of the security flaws, as well as several links to exposed driver's licenses, and a copy of Lampkin's own data to underscore the severity of the security issues. 'Thank you for this information. This is very concerning. We are going to jump on this right now,' said Lampkin. Despite several follow-up emails, we have not heard from Lampkin since we disclosed the security flaws. It doesn't matter if you're a one-person software shop or a billionaire vibe coding through a weekend: Developers still have a responsibility to keep their users' data safe. If you can't keep your users' private data safe, don't build it to begin with. If you have evidence of a popular app or service leaking or exposing information, get in touch. You can securely contact this reporter via encrypted message at zackwhittaker.1337 on Signal.
