Technologies

The Tea App Data Breach: What Was Exposed and What We Know About the Class Action Lawsuit

DMs, photo IDs and selfie photos were exposed in the hack.

Tea, a women’s dating safety app that recently surged to the top of the free iOS App Store listings, suffered a major security breach last week. The company confirmed Friday that it «identified authorized access to one of our systems» that exposed thousands of user images. And now we know that DMs were accessed during the breach, too.

Tea’s preliminary findings from the end of last week showed the data breach exposed approximately 72,000 images: 13,000 images of selfies and photo identification that people had submitted during account verification, and 59,000 images that were publicly viewable in the app from posts, comments and direct messages.

Those images had been stored in a «legacy data system» that contained information from more than two years ago, the company said in statement. «At this time, there is no evidence to suggest that current or additional user data was affected.»

Earlier Friday, posts on Reddit and 404 Media reported that Tea app users’ faces and IDs had been posted on anonymous online message board 4chan. Tea requires users to verify their identities with selfies or IDs, which is why driver’s licenses and pictures of people’s faces are in the leaked data.

And on Monday, a Tea spokesperson confirmed to CNET that it additionally «recently learned that some direct messages (DMs) were accessed as part of the initial incident.» Tea has also taken the affected system offline. That confirmation followed a report by 404 Media on Monday that an independent security researcher discovered it would have been possible for hackers to gain access to DMs between Tea users, affecting messages sent up to last week on the Tea app.

Tea said it has launched a full investigation to assess the scope and impact of the breach.

Class action lawsuit filed

One of the users of the Tea app, Griselda Reyes, has filed a class action lawsuit on behalf of herself and other Tea users affected by the data breach. According to court documents filed on July 28, as reported earlier by 404 Media, Reyes is suing Tea over its alleged «failure to properly secure and safeguard … personally identifiable information.»

«Shortly after the data breach was announced, internet users claimed to have mapped the locations of Tea’s users based on metadata contained from the leaked images,» the complaint alleges. «Thus, instead of empowering women, Tea has actually put them at risk of serious harm.»

Tea also has yet to notify its customers personally about their data being breached, the complaint alleges.

The complaint is seeking class action status, damages for those affected «in an amount to be determined» and certain requirements for Tea to improve its data storage and handling practices.

Scott Edward Cole of Cole & Van Note, the law firm representing Reyes, told CNET he is «stunned» by the alleged lack of security protections in place.

«This application was advertised as a safe place for women to share information, sometimes very intimate information, about their dating experiences. Few people would take that risk if they’d known Tea Dating put such little effort into its cybersecurity,» Cole alleged. «One chief goal of our lawsuit is to compel the company to start taking user privacy a lot more seriously.»

Tea didn’t immediately respond to a request for comment on the class action lawsuit.

What is the Tea app?

The premise of Tea is to provide women with a space to report negative interactions they’ve had while encountering men in the dating pool, with the intention of keeping other women safe.

The app is currently sitting at the No. 2 spot for free apps on Apple’s US App Store, right after ChatGPT, drawing international attention and sparking a debate about whether the app violates men’s privacy. Following the news of the data breach, it also plays into the wider ongoing debate around whether online identity and age verification pose an inherent security risk to internet users.

In the privacy section on its website, Tea says: «Tea Dating Advice takes reasonable security measures to protect your Personal Information to prevent loss, misuse, unauthorized access, disclosure, alteration and destruction. Please be aware, however, that despite our efforts, no security measures are impenetrable.»

Technologies

How to Track Your Sun Exposure With This New App

Now in beta, the Sun Day app prompts you on how to prep for being out and about for your specific skin type and location.

Facing down a heat wave this summer? There’s a new beta app for iPhones from the founder of Twitter, Jack Dorsey, that helps you track your exposure to the sun. The Sun Day app is free to testers and contains information like sunrise, sunset and UV index in order to assess your potential burn-limit time and, as the app description says, «track your Vitamin D from the sun.»

Dorsey is currently testing UI updates and a solar noon notification, according to the app notes. In the app, you can describe the type of clothing you’re wearing, such as shorts and T-shirts or swimwear, and your Fitzpatrick skin type, which classifies how quickly you’ll burn.

The iOS app asks permission to connect to some Apple Health data when the app is installed.

Dorsey also recently released Bitchat, a private messaging client that uses Bluetooth as its communication platform. Although it’s meant to be a secure, private app, some users have flagged Bitchat for potential security flaws that are still being tested.

How to test the Sun Day app

If you’ve got an iOS device, download the Sun Day TestFlight app from the App Store and then follow the link to the app for Sun Day to join the beta test.

The effectiveness of an app such as Sun Day depends on giving it accurate information about your skin type and clothing, and while vitamin D levels are one way to gauge UV exposure, it’s not foolproof given that some people also take vitamin D supplements.

«Jack Dorsey’s new app Sun Day is exciting, not to detect vitamin D levels but really to help us understand our UV index which is so important in sun safety,» said Tanya Kormeili, an LA-based dermatologist. «The app does have an interesting promise as far as I am concerned, in that using the UV index can show you the risk for the level of UV exposure.»

The risks of too much sun exposure include sunburns, aging skin and skin cancer. Tracking UV levels is one way to help mitigate those risks.

People tend to think about sun exposure and protections like sunscreen most during the summer, when the sun is strongest and the days are long, and when you’re heading to the beach or out gardening, golfing or otherwise getting in quality sun time. But there is always a risk of sun damage to your skin while you’re outside — year round.

«Sometimes it is hard for patients to be convinced that there can be an excessive UV risk on a cloudy day,» Kormeili says. «The app would provide an objective measure of that UV index and guide you in safer sun practices.»

The dermatologist suggests that Dorsey putting the app out for public consumption without medical experts endorsing it might be a missed opportunity. «I am surprised that they have not involved actual dermatologists in pointing out the true value and limitations of this app,» she said.

Technologies

YouTube’s Age-Estimation Tech Will Spot Kids Pretending to Be Adults. Here’s How It Works

The streaming service will use various methods to make sure kids aren’t watching age-restricted content.

If kids are lying about their age, YouTube will know about it. Or at least will try its best to find out. The streaming service announced Tuesday it’s rolling out age-estimation technology that will use various data to determine if someone is under the age of 18, and then use that signal «to deliver our age-appropriate product experiences and protections.»

Basically — assuming it works as it should — kids will not be able to access what YouTube deems as age-restricted content.

Google, YouTube’s parent company, announced in February that it would begin deploying this type of technology, which relies on AI, to determine users’ ages.

YouTube said it will test the machine-learning tech on a small set of users in the US to estimate their age. Some of the signals it will look at include «the types of videos a user is searching for, the categories of videos they have watched or the longevity of the account.» After ensuring the age verification is working as intended, YouTube will then roll it out more widely.

Donna Rice Hughes, president and CEO of children’s online safety organization Enough is Enough, welcomed YouTube’s move toward age verification.

«It’s always encouraging to me as a veteran working in the internet safety space for over three decades to see big tech companies being proactive to better protect youth online,» Hughes told CNET. «Since the advent of social media, which began with age limits of 18 years and older then reduced to 13-plus with absolutely no age verification technologies in place, kids have learned to lie about their age to get on these platforms, including YouTube.»

Hughes said YouTube can take it a step further: «I also encourage YouTube to turn on safety defaults to block sexually explicit videos and advertising and other harmful content for all users under 18.»

YouTube’s age-verification move is another step in the growing age-verification push that is being hastened by the US and other governments trying to prevent children from accessing content deemed harmful, unhealthy and not appropriate for their age.

What happens when YouTube decides someone is under 18?

If its age-estimation system decides someone is under 18, YouTube will then:

Disable personalized advertising.
Turn on digital wellbeing tools.
Add safeguards to recommendations, including limiting repetitive views of some content.

People who are actually adults but who have been wrongly identified as children will be able to verify that they are 18 or older by using a credit card or a government ID.

Hughes of Enough is Enough said that strong measures are needed to protect kids when it comes to their online use of YouTube videos and more.

«At EIE, we have encouraged turning on safety defaults — including filtering, monitoring and time-limiting controls — on all internet-enabled devices and platforms,» Hughes told CNET. «This simple step by big tech companies would greatly empower parents, who now must do this themselves on every device and every social media platform, which is overwhelming.»

Technologies

Today’s NYT Connections: Sports Edition Hints and Answers for July 31, #311

Here are hints and the answers for the NYT Connections: Sports Edition puzzle for July 31, No. 311.

Looking for the most recent regular Connections answers? Click here for today’s Connections hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle and Strands puzzles.

Today’s Connections: Sports Edition is heavy on NFL clues, so football fans should do well. The purple category felt like an easy one for me today and it has nothing to do with the NFL. Keeping reading for hints and the answers.

Connections: Sports Edition is out of beta now, making its debut on Super Bowl Sunday, Feb. 9. That’s a sign that the game has earned enough loyal players that The Athletic, the subscription-based sports journalism site owned by the Times, will continue to publish it. It doesn’t show up in the NYT Games app but now appears in The Athletic’s own app. Or you can continue to play it free online.

Read more: NYT Connections: Sports Edition Puzzle Comes Out of Beta

Hints for today’s Connections: Sports Edition groups

Here are four hints for the groupings in today’s Connections: Sports Edition puzzle, ranked from the easiest yellow group to the tough (and sometimes bizarre) purple group.

Yellow group hint: Starts with a break.

Green group hint: Part of one of two conferences.

Blue group hint: Special Philly.

Purple group hint: For the court.