Full Report
Makers of the app for women called Tea are continuing to respond to an intrusion into a "legacy data storage system" that exposed photos of users, including images of driver's licenses.
Analysis Summary
# Incident Report: Tea App User Data Breach via Exposed Storage
## Executive Summary
A significant data breach occurred at the Tea dating safety app, resulting from unauthorized access to a legacy data storage system. Attackers exfiltrated approximately 72,000 images, including sensitive driver's license photos submitted by users who signed up before February 2024. The exposure was traced to a publicly accessible, unauthenticated Firebase storage bucket, leading to the posting of stolen data on online forums and subsequent use to track user locations.
## Incident Details
- Discovery Date: Early Friday morning (when access occurred/was discovered)
- Incident Date: Early Friday morning (when unauthorized access began)
- Affected Organization: Tea App
- Sector: Technology/Mobile Application (Dating/Safety App)
- Geography: Not explicitly stated, data involved US users (including Army bases referenced).
## Timeline of Events
### Initial Access
- **Date/Time:** Early Friday morning
- **Vector:** Misconfigured/Exposed Cloud Storage (Firebase)
- **Details:** Attackers gained unauthorized access to a **legacy data storage system** containing user data from before February 2024. Reports suggest user verification submissions (including IDs) were stored in a **public Firebase storage bucket that did not require authentication**.
### Lateral Movement
- *Not explicitly detailed, as the compromise appeared to be direct access to the storage location rather than traditional internal network pivoting.*
### Data Exfiltration/Impact
- **Date/Time:** Escalated on Saturday/Sunday
- **Details:** Approximately 72,000 images were accessed, including 13,000 ID/selfie verification images and 59,000 images from public posts/messages. The data was posted on 4chan and cybercriminal forums. Threat actors used state IDs to **map out the locations of Tea users**.
### Detection & Response
- **How it was discovered:** The company confirmed reporting from 404media, indicating public disclosure/announcement by threat actors on online platforms (4chan, X) starting Friday.
- **Response actions taken:** Confirmed hiring cybersecurity experts and working to secure systems.
## Attack Methodology
- **Initial Access:** Exploitation of misconfigured cloud storage (publicly accessible, unauthenticated Firebase bucket).
- **Persistence:** *Not explicitly detailed, likely direct data retrieval.*
- **Privilege Escalation:** *Not applicable; access was likely direct due to configuration error.*
- **Defense Evasion:** *Not applicable; the storage was inherently open to the public.*
- **Credential Access:** *None explicitly mentioned; access was to stored files.*
- **Discovery:** *Not applicable; the flaw was likely known or found easily due to public exposure.*
- **Lateral Movement:** *Not applicable.*
- **Collection:** Direct download/access of files from the open cloud storage bucket.
- **Exfiltration:** Posting the collected data (55 GB mentioned in one forum post) to 4chan and cybercriminal forums.
- **Impact:** Exposure of PII, including driver's licenses and selfies, leading to location mapping of users.
## Impact Assessment
- **Financial:** Not quantified, but included costs of security investigation, hiring experts, and likely regulatory fines/remediation.
- **Data Breach:** Approximately 72,000 images accessed, including ~13,000 driver's license photos and 59,000 other user-uploaded images. Impacted users who signed up before February 2024.
- **Operational:** Business operations likely disrupted due to required immediate security remediation and public scrutiny.
- **Reputational:** Severe reputational damage due to breach of trust, especially since the app promised data deletion and its mission involved safety/trust.
## Indicators of Compromise
- **Network indicators:** (Not provided in the article, specific domains/IPs of threat actors or exfiltration hosts were not listed.)
- **File indicators:** Batches of data (up to 55 GB) containing driver's licenses and selfies appearing on 4chan and cybercriminal forums.
- **Behavioral indicators:** Public posting/sharing of stolen user verification data on antagonistic online communities.
## Response Actions
- **Containment measures:** Hiring cybersecurity experts and working to secure systems (implies closing the public bucket access).
- **Eradication steps:** *Not detailed, but presumed steps involve removing data from public view and remediating the storage configuration.*
- **Recovery actions:** *Not detailed, but likely involves re-architecting data retention policies and storage security.*
## Lessons Learned
- Reliance on legacy systems inherited significant security debt (data retained beyond expected lifecycle).
- Misconfiguration of cloud storage (leaving a Firebase bucket publicly accessible without authentication) is a critical, exploitable vulnerability.
- Promises made to users regarding data deletion must be strictly adhered to, as unfulfilled promises escalate backlash when a breach occurs.
## Recommendations
- Immediately audit all cloud storage buckets (Firebase, S3, Azure Blob) to ensure no sensitive data repositories are publicly accessible without robust authentication mechanisms.
- Implement strict data lifecycle policies to ensure data is deleted promptly once its stated compliance or verification purpose has been met.
- Review and validate all security controls related to stored user identification documents, moving them to highly restricted, encrypted storage environments.