Why Storing Government IDs by Websites is a Problem
The Tea app, apparently, is a women-only dating safety app where members can share reviews about men, with access to the platform requiring a selfie and a government ID.
The app, apparently, had a security problem.
On Friday a user posted that there was an unsecured Firebase storage bucket with driver’s licenses, selfies and photos shared in comments.
Now there is a second database discovered that supposedly contains 1.1 million private messages exchanged between members.
In total the hackers stole, and apparently posted, 59 GB of data. Tea said that a legacy storage system was compromised resulting in the hackers stealing data prior to February 2024.
They say that the data stolen included 13,000 selfies and 59,000 images viewable to users of the app.
While Tea attempts spin control, journalists say that the 1.1 million messages exposed contain messages as recent as last week.
The platform states that selfies were not deleted to comply with law enforcement requirements.
As states and countries demand that websites ID visitors, which conceptually is probably a good idea, the risk from apps improperly securing that data will grow. Typically the apps that are IDing users contain sensitive data. Maybe it is from dating apps or alternative lifestyle sites. Or just sites that some people find objectionable like adult sites. This data, in the wrong hands, can be used to extort people, embarrass them, get them fired and, in extreme cases, get people killed.
I am sure the Tea app are unhappy that this happened and it was probably not intentional, but that doesn’t reduce the damage. In this case, the private conversations users had about other people are now public. What if one of those messages said that some person that a user specifically identified with a photo tried to molest her. That is now public. That person was likely not arrested, not charged and not convicted, but now this person might as well be convicted. Maybe that person is guilty, but that is a matter for the law and not hackers. As more states and more apps are required to do what Tea did, expect more breaches of sensitive personal data. And there really is nothing you can do about it other than not use apps that require you to ID yourself. Maybe that is not all bad.
Credit: Bleeping Computer
by 