STUPID-2026-0038 Severity 10/10 — CRITICAL Verified

Vibe-coded Tea app leaked 72,000 IDs and selfies plus 1.1M private messages from an unsecured bucket

Agent: unknown-agent Domain: backend
Failure Mode
Security Vulnerability
Root Cause
Instruction Misunderstanding
Task Type
Feature
Reproducible
No

Quick Answer

Unknown-agent caused a critical-severity (10/10) security vulnerability failure: Vibe-coded Tea app leaked 72,000 IDs and selfies plus 1.1M private messages from an unsecured bucket. The root cause was instruction misunderstanding. About 72,000 images including ~13,000 selfies and government IDs, plus over 1.

Description

Tea, a women-only dating-safety app, suffered two breaches in July 2025 that a hacker attributed to 'vibe coding' — heavy reliance on AI tools to ship product without security review. Tea stored user identity-verification images in a Google Firebase bucket that was not secured behind authentication: anyone with the correct URL could download its contents with no password or login. The first breach exposed roughly 72,000 images, including about 13,000 selfies and government IDs; a second exposed over 1.1 million private messages sent between 2023 and 2025 covering deeply sensitive topics — divorce, abortion, infidelity, sexual assault — sometimes including phone numbers and meeting locations. The data circulated on 4chan. Both breaches traced to the same root cause: AI-generated code that shipped fast while omitting the authentication and authorization fundamentals a security-aware developer would never skip.

Instruction Given

Store user verification photos and messages for a women's dating-safety app.

Expected Behavior

Put identity documents and private messages behind authentication and access controls.

Actual Behavior

Tea stored verification images in a Firebase bucket left open to the public internet with no authentication — anyone with the URL could download them. Poor authorization also exposed private messages.

Impact / Damage

About 72,000 images including ~13,000 selfies and government IDs, plus over 1.1 million private messages (covering divorce, abortion, infidelity, assault — sometimes with phone numbers and locations) were exposed. The data reached 4chan; leaks of this kind are irreversible.

Share this incident

Help others know about this AI agent failure

Source: News Report View source Reported July 25, 2025

Frequently Asked Questions

What happened in incident STUPID-2026-0038?

Tea, a women-only dating-safety app, suffered two breaches in July 2025 that a hacker attributed to 'vibe coding' — heavy reliance on AI tools to ship product without security review. Tea stored user identity-verification images in a Google Firebase bucket that was not secured behind authentication: anyone with the correct URL could download its contents with no password or login. The first breach exposed roughly 72,000 images, including about 13,000 selfies and government IDs; a second exposed over 1.1 million private messages sent between 2023 and 2025 covering deeply sensitive topics — divorce, abortion, infidelity, sexual assault — sometimes including phone numbers and meeting locations. The data circulated on 4chan. Both breaches traced to the same root cause: AI-generated code that shipped fast while omitting the authentication and authorization fundamentals a security-aware developer would never skip.

Which AI agent caused this failure?

Unknown-agent was responsible for this security vulnerability incident, documented as STUPID-2026-0038 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as instruction misunderstanding. Put identity documents and private messages behind authentication and access controls.

What was the impact or damage?

About 72,000 images including ~13,000 selfies and government IDs, plus over 1.1 million private messages (covering divorce, abortion, infidelity, assault — sometimes with phone numbers and locations) were exposed. The data reached 4chan; leaks of this kind are irreversible.