How the Tea App Got Blindsided on Data Security

As we move deeper into 2025, the cybersecurity landscape is experiencing a profound shift. AI-driven threats are becoming more sophisticated, cloud misconfigurations remain a persistent risk, and data breaches continue to grow in scale and cost.

‍

In this rapidly evolving environment, traditional security approaches are no longer enough. At Black Hat USA 2025, Sentra will demonstrate how security teams can stay ahead of the curve through data-centric strategies that focus on visibility, risk reduction, and real-time response. Join us on August 4-8 at the Mandalay Bay Convention Center in Las Vegas to learn how Sentra’s platform is reshaping the future of cloud data security.

Understanding the Stakes: 2024’s Security Trends

Recent industry data underscores the urgency facing security leaders. Ransomware accounted for 35% of all cyberattacks in 2024 - an 84% increase over the prior year. Misconfigurations continue to be a leading cause of cloud incidents, contributing to nearly a quarter of security events. Phishing remains the most common vector for credential theft, and the use of AI by attackers has moved from experimental to mainstream.

These trends point to a critical shift: attackers are no longer just targeting infrastructure or endpoints. They are going straight for the data.

Why Data-Centric Security Must Be the Focus in 2025

The acceleration of multi-cloud adoption has introduced significant complexity. Sensitive data now resides across AWS, Azure, GCP, and SaaS platforms like Snowflake and Databricks. However, most organizations still struggle with foundational visibility - not knowing where all their sensitive data lives, who has access to it, or how it is being used.

Sentra’s approach to Data Security Posture Management (DSPM) is built to solve this problem. Our platform enables security teams to continuously discover, identify, classify, and secure sensitive data across their cloud environments, and to do so in real time, without agents or manual tagging.

Sentra at Black Hat USA 2025: What to Expect

At this year’s conference, Sentra will be showcasing how our DSPM and Data Detection and Response (DDR) capabilities help organizations proactively defend their data against evolving threats. Our live demonstrations will highlight how we uncover shadow data across hybrid and multi-cloud environments, detect abnormal access patterns indicating insider threats, and automate compliance mapping for frameworks such as GDPR, HIPAA, PCI-DSS, and SOX. Attendees will also gain visibility into how our platform enables data-aware threat detection that goes beyond traditional SIEM tools.

‍

In addition to product walkthroughs, we’ll be sharing real-world success stories from our customers - including a fintech company that reduced its cloud data risk by 60% in under a month, and a global healthtech provider that cut its audit prep time from three weeks to just two days using Sentra’s automated controls.

Exclusive Experiences for Security Leaders

Beyond the show floor, Sentra will be hosting a VIP Security Leaders Dinner on August 5 - an invitation-only evening of strategic conversations with CISOs, security architects, and data governance leaders. The event will feature roundtable discussions on 2025’s biggest cloud data security challenges and emerging best practices.

For those looking for deeper engagement, we’re also offering one-on-one strategy sessions with our experts. These personalized consultations will focus on helping security leaders evaluate their current DSPM posture, identify key areas of risk, and map out a tailored approach to implementing Sentra’s platform within their environment.

Why Security Teams Choose Sentra

Sentra has emerged as a trusted partner for organizations tackling the challenges of modern data security. We were named a "Customers’ Choice" in the Gartner Peer Insights Voice of the Customer report for DSPM, with a 98% recommendation rate and an average rating of 4.9 out of 5. GigaOm also recognized Sentra as a Leader in its 2024 Radar reports for both DSPM and Data Security Platforms.

‍

More importantly, Sentra is helping real organizations address the realities of cloud-native risk. As security perimeters dissolve and sensitive data becomes more distributed, our platform provides the context, automation, and visibility needed to protect it.

Meet Sentra at Booth 4408

Black Hat USA 2025 offers a critical opportunity for security leaders to re-evaluate their strategies in the face of AI-powered attacks, rising cloud complexity, and increasing regulatory pressure. Whether you are just starting to explore DSPM or are looking to enhance your existing security investments, Sentra’s team will be available for live demos, expert guidance, and strategic insights throughout the event.

Visit us at Booth 4408 to see firsthand how Sentra can help your organization secure what matters most - your data.

Register or Book a Session

• Request an invite to our VIP Dinner (August 5)
• Schedule a private strategy session with our experts

<blogcta-big>

‍

A Women‑First Safety Tool - and a Very Public Breach

Tea is billed as a “women‑only” community where users can swap tips, background‑check potential dates, and set red or green flags. In late July 2025 the app rocketed to No. 1 in Apple’s free‑apps chart, boasting roughly four million users and a 900 k‑person wait‑list.

On 25 July 2025 a post on 4chan revealed that anyone could download an open Google Firebase Storage bucket holding verification selfies and ID photos. Technology reporters quickly confirmed the issue and confirmed the bucket had no authentication or even listing restrictions.

What Was Exposed?

About 72,000 images were taken. Roughly 13,000 were verification selfies that included “driver's license or passport photos; the rest - about 59,000 - were images, comments, and DM attachments from more than two years ago. No phone numbers or email addresses were included, but the IDs and face photos are now mirrored on torrent sites, according to public reports.

‍

Tea’s Official Response

On 27 July Tea posted the following notice to its Instagram account:

We discovered unauthorized access to an archived data system. If you signed up for Tea after February 2024, all your data is secure.

‍

This archived system stored about 72,000 user‑submitted images – including approximately 13,000 selfies and selfies that include photo identification submitted during account verification. These photos can in no way be linked to posts within Tea.

‍

Additionally, 59,000 images publicly viewable in the app from posts, comments, and direct messages from over two years ago were accessed. This data was stored to meet law‑enforcement standards around cyberbullying prevention.

We’ve acted fast and we’re working with trusted cyber‑security experts. We’re taking every step to protect this community – now and always.

‍

(Full statement: instagram.com/theteapartygirls)

How Did This Happen?

At the heart of the breach was a single, deceptively simple mistake: the Firebase bucket that stored user images had been left wide open to the internet and even allowed directory‑listing. Whoever set it up apparently assumed that the object paths were obscure enough to stay hidden, but obscurity is never security. Once one curious 4chan user stumbled on the bucket, it took only minutes to write a script that walked the entire directory tree and downloaded everything. The files were zipped, uploaded to torrent trackers, and instantly became impossible to contain. In other words, a configuration left on its insecure default setting turned a women‑safety tool into a privacy disaster.

What Developers and Security Teams Can Learn

For engineering teams, the lesson is straightforward: always start from “private” and add access intentionally. Google Cloud Storage supports Signed URLs and Firebase Auth rules precisely so you can serve content without throwing the doors wide open; using those controls should be the norm, not the exception. Meanwhile, security leaders need to accept that misconfigurations are inevitable and build continuous monitoring around them.

‍

Modern Data Security Posture Management (DSPM) platforms watch for sensitive data, like face photos and ID cards, showing up in publicly readable locations and alert the moment they do. Finally, remember that forgotten backups or “archive” buckets often outlive their creators’ attention; schedule regular audits so yesterday’s quick fix doesn’t become tomorrow’s headline.

How Sentra Would Have Caught This

Had Tea’s infrastructure been monitored by a DSPM solution like Sentra, the open bucket would have triggered an alert long before a stranger found it. Sentra continuously inventories every storage location in your cloud accounts, classifies the data inside so it knows those JPEGs contain faces and government IDs, and correlates that sensitivity with each bucket’s exposure. The moment a bucket flips to public‑read - or worse, gains listing permissions - Sentra raises a high‑severity alert or can even automate a rollback of the risky setting. In short, it spots the danger during development or staging, before the first user uploads a selfie, let alone before a leak hits 4chan. And, in case of a breach (perhaps by an inadvertent insider), Sentra monitors data accesses and movement and can alert when unusual activity occurs.

The Bottom Line

‍
One unchecked permission wiped out the core promise of an app built to keep women safe. This wasn’t some sophisticated breach, it was a default setting left in place, a public bucket no one thought to lock down. A fix that would’ve taken seconds ended up compromising thousands of IDs and faces, now mirrored across the internet.

Security isn’t just about good intentions. Least-privilege storage, signed URLs, automated classification, and regular audits aren’t extras - they’re the baseline. If you’re handling sensitive data and not doing these things, you’re gambling with trust. Eventually, someone will notice. And they won’t be the only ones downloading.

<blogcta-big>

‍

A vulnerability like this doesn’t just compromise infrastructure, it compromises trust. When attackers gain unauthenticated access to SharePoint, they’re not just landing on a server. They’re landing on contracts, financials, customer records, and source code - the very data that defines your business.

‍

The latest zero-day targeting Microsoft SharePoint is a prime example. It’s not only critical in severity - it’s being actively exploited in the wild, giving threat actors a direct path to your most sensitive data.

Here’s what we know so far.

‍

What Happened in the Sharepoint Zero-Day Attack?

‍

On July 20, 2025, CISA confirmed that attackers are actively exploiting CVE-2025-53770, a remote-code-execution (RCE) zero-day that affects on-premises Microsoft SharePoint servers.

The flaw is unauthenticated and rated CVSS 9.8, letting threat actors run arbitrary code and access every file on the server - no credentials required.

‍‍

Security researchers have tied the exploits to the “ToolShell” attack chain, which steals SharePoint machine keys and forges trusted ViewState payloads, making lateral movement and persistence dangerously easy.

Microsoft has issued temporary guidance (enabling AMSI, deploying Defender AV, or isolating servers) while it rushes a full patch. Meanwhile, CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog and urges immediate mitigations. CISA

‍

Why Exploitation Is Alarmingly Easy

Attackers don’t need stolen credentials, phishing emails, or sophisticated malware. A typical adversary can move from a list of targets to full SharePoint server control in four quick moves:

‍

1. Harvest likely targets in bulk
   Public scanners like Censys, Shodan, and certificate transparency logs reveal thousands of company domains exposing SharePoint over HTTPS. A few basic queries surface sharepoint. subdomains or endpoints responding with the SharePoint logo or X-SharePointHealthScore header.
   
   
2. Check for a SharePoint host
   If a domain like sharepoint.example.com shows the classic SharePoint sign-in page, it’s likely running ASP.NET and listening on TCP 443—indicating a viable target.
   
   
3. Probe the vulnerable endpoint
   A simple GET request to /_layouts/15/ToolPane.aspx?DisplayMode=Edit should return HTTP 200 OK (instead of redirecting to login) on unpatched servers. This confirms exposure to the ToolShell exploit chain.
   
   
4. Send one unauthenticated POST
   The vulnerability lies in how SharePoint deserializes __VIEWSTATE data. With a single forged POST request, the attacker gains full RCE—no login, no MFA, no further interaction.

That’s it. From scan to shell can take under five minutes, which is why CISA urged admins to disconnect public-facing servers until patched.

‍

Why Data Security Leaders Should Care

SharePoint is where contracts, customer records, and board decks live. An RCE on the platform is a direct path to your crown jewel data:

‍

• Unbounded blast radius: Compromised machine keys let attackers impersonate any user and exfiltrate sensitive files at scale.
• Shadow exposure: Even if you patch tomorrow, every document the attacker touched today is already outside your control.
• Compliance risk: GDPR, HIPAA, SOX, and new AI-safety rules all require provable evidence of what data was accessed and when.

While vulnerability scanners stop at “patch fast,” data security teams need more visibility into what was exposed, how sensitive it was, and how to contain the fallout. That’s exactly what Sentra’s Data Security Posture Management (DSPM) platform delivers.

‍

How Sentra DSPM Neutralizes the Impact of CVE-2025-53770

• Continuous data discovery & classification: Sentra’s agentless scanner pinpoints every sensitive file - PII, PHI, intellectual-property, even AI model weights - across on-prem SharePoint, SharePoint Online, Teams, and OneDrive. No blind spots.
• Posture-driven risk mapping: Sentra pinpoints sensitive data sitting on exploitable servers, open to the public, or granted excessive permissions, then automatically routes actionable alerts into your security team’s existing workflow platform.
• Real-time threat detection: Sentra’s Data Detection and Response (DDR) instantly flags unusual access patterns to sensitive data, enabling your team to intervene before risk turns into breach.
• Blast-radius analysis: Sentra shows which regulated data could have been accessed during the exploit window - crucial for incident response and breach notifications.
• Automated workflows: Sentra integrates with Defender, Microsoft Purview, Splunk, CrowdStrike, and all leading SOARs to quarantine docs, rotate machine keys, or trigger legal hold—no manual steps required.
• Attacker-resilience scoring: Executive dashboards translate SharePoint misconfigurations into dollar-value risk reduction and compliance posture—perfect for board updates after high-profile CVEs.

‍

What This Means for Your Security Team

CVE-2025-53770 won’t be the last time attackers weaponize a collaboration platform you rely on every day. With Sentra DSPM, you know exactly where your sensitive data is, how exposed it is, and how to shrink that exposure continuously.

‍

With Sentra DSPM, you gain more than visibility. You get the ability to map your most sensitive data, detect threats in real time, and respond with confidence - all while proving compliance and minimizing business impact.

It’s not just about patching faster. It’s about defending what matters most: your data.

‍

<blogcta-big>

‍