TeaOnHer, the men's counterpart to the women's safety app Tea, is hemorrhaging user data faster than you can swipe left. TechCrunch discovered that anyone can access the app's database containing driver's licenses, selfies, email addresses, and usernames of all 53,000 users.
No hacking required. The data is just sitting there on public URLs, waiting for someone to stumble across it.
But here's the really embarrassing part: the app's creator, Xavier Lampkin, left his own admin credentials exposed on the server. Email address and plaintext password, just hanging out in the open. It's like leaving your house keys taped to the front door with a note saying "please don't rob me."
This is What Happens When You Build Apps Out of Spite
TeaOnHer launched this week as a direct response to Tea, the controversial women's app that lets users share warnings about men they've dated. Tea got breached last week, exposing 72,000 images and over a million private messages. Instead of learning from that disaster, someone thought "let's build the exact same thing but for men."
The results are predictably awful. TeaOnHer users upload government IDs for verification, then post photos and accusations about women they claim to have dated. The guest view (no signup required) immediately shows naked photos of the same woman posted under different names, plus comments calling women "easy" or accusing of spreading STIs.
It's revenge porn with extra steps and worse security.
Basic Security Concepts That Apparently Don't Exist
The technical details are mind-numbing in their incompetence:
- Direct URL access to driver's licenses: Upload an ID to verify your account? It goes on a public web address that anyone can guess or stumble across
- Exposed user database: All 53,000 user emails, usernames, and locations are accessible without authentication
- Admin credentials in plaintext: The founder's login details are sitting on the public server
- No access controls: Guest users can see everything without even creating an account
This isn't a sophisticated attack or zero-day exploit. This is basic web development that a bootcamp student would be embarrassed to submit. You literally just need to know how URLs work to access people's government IDs.
The Creator Left His Own Data Exposed
Xavier Lampkin, founder of Newville Media Corporation and creator of TeaOnHer, apparently didn't test his own security. TechCrunch found his personal data in the exposed database, along with his admin credentials sitting on the server in plaintext.
When TechCrunch tried to contact Lampkin about the security flaws, he didn't respond. The app is currently ranked #2 in Lifestyle apps on iOS and #17 overall, beating Instagram, Netflix, and Spotify. Thousands of people are downloading an app that immediately exposes their driver's license to the internet.
Why Dating Apps Keep Failing at Basic Security
This is becoming a pattern. Tea gets breached, TeaOnHer gets breached, Bumble had location tracking issues, Tinder leaked swipe data. Dating apps collect incredibly sensitive information – photos, locations, personal details, sometimes government IDs – but treat security like an afterthought.
Part of the problem is that dating apps are often built by small teams focused on user acquisition, not security. They're optimizing for viral growth and App Store rankings, not protecting user data. Basic security features like access controls, encrypted storage, and secure API endpoints cost time and money that startups don't want to spend.
The other issue is that users keep downloading these apps despite repeated security failures. TeaOnHer is trending on the App Store even though it's obviously unsafe to use. People are more concerned with getting their revenge posts live than protecting their driver's license from random internet strangers.
What You Need to Know Right Now
If you downloaded TeaOnHer and uploaded an ID for verification, assume that document is now publicly accessible on the internet. Anyone with basic technical skills can find and download your driver's license, along with your email address and any selfies you uploaded.
The app makers haven't acknowledged the security flaws or announced any fixes. TechCrunch is withholding technical details to avoid helping malicious actors, but the vulnerabilities they found are apparently simple to exploit.
Delete the app if you have it installed. Don't upload government documents to apps built by companies you've never heard of. And maybe consider whether posting revenge content about your exes is worth risking identity theft.