Open Forum

On July 25, 2025, the Tea app (a dating-advice and review app for women) discovered unauthorized access to one of its old data systems-so-called legacy storage containing content uploaded before February 2024. The exposed data included about 72,000 images. Roughly 13,000 were selfies or photo IDs submitted during account verification. Another 59,000 were images posted inside the app-photos, comments, and private messages. Later, the company confirmed that some direct messages (DMs) were accessed as well, and they took messaging services offline as a precaution. No email addresses or phone numbers were compromised, and only users who registered before February 2024 were affected.

With the explosion of online services over the last decade, we have become increasingly complacent about the information we post or share with these SaaS platforms. The other troubling trend is how companies take good security practices and turn them into a time-ticking bomb. Taking this incident as an example, face liveliness verification becomes standard for many ID verification services. The question is why the company felt they had the right to retain those images... forever. The same goes for direct messages on their platform.

Taleaways:

• You have no control over what the vendor will do with your data. When signing up or using any SaaS services, assume everything you provide or share with the vendor will be stored and used by the company (potentially indefinitely)
• Generative AI does not help. Assume your interactions with any chatbots (including direct messages) on the vendor site would be stored indefinitely and likely will be used to train (improve) the vendor's model
• Limit your exposure. Ensure that anything you share with the vendor cannot lead to greater exposure if lost. For instance, when I set up a new account and the site asks for password recovery questions/answers, I never give the real answers away. I create random passwords [using a password manager] as answers and store questions and answers I provided in my password vault associated with the site. That way, if the site is compromised, no one knows my real "mother's maiden name" or "school mascot"

Be comfortable with the possibility of losing everything you provide to the vendor, or don't sign up / use the service.

#ALTACyber

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------

Hi Genady, I appreciate your write up.  There are a few other points I'd like to tack on:

As a SaaS Title Search Platform, RDS, we often get the question of who owns the data.  Our T&Cs explicitly state it's the customers (unlike other platforms, as you mention).  Read through the T&Cs, and ask the questions.  

Another point I'd add to your Vendor checklist, is to ask if they share a server.  Sharing a server with less secure companies (no matter what industry, or what geography), makes foul play more probable.  At RDS we address this risk by having a dedicated server.  We've seen other SaaS companies sharing server space with 10s of companies across the globe, including Russia. Oftentimes companies that don't take security measures, or are questionable themselves.

If you are feeding the Chatbot, just as @Genady Vishnevetsky describes, yes, it's true, what you submit into a Chatbot, depending on who you're doing business with - do you know where your data goes, who it's shared with, how it's stored, can it be reused for other purposes, what laws apply, etc.  Simply ask.

At RDS we have integrated AI into our platform.   As a Title Search Platform, and ideal Vendor Management platform for Title Companies, we continue to evolve and consider our risk as well as our customers' when it comes to data.

There is much "on the line," for businesses to move fast and efficiently but not at the expense of data integrity and security.  It can be a hard balance!

-Denise Williams

------------------------------
Denise Williams MBA
President
Real Document Solutions - RDS
Saint Louis MO
------------------------------

Original Message:
Sent: 08-08-2025 08:57
From: Genady Vishnevetsky
Subject: Security BUZZ - Not your typical "tea" story

On July 25, 2025, the Tea app (a dating-advice and review app for women) discovered unauthorized access to one of its old data systems-so-called legacy storage containing content uploaded before February 2024. The exposed data included about 72,000 images. Roughly 13,000 were selfies or photo IDs submitted during account verification. Another 59,000 were images posted inside the app-photos, comments, and private messages. Later, the company confirmed that some direct messages (DMs) were accessed as well, and they took messaging services offline as a precaution. No email addresses or phone numbers were compromised, and only users who registered before February 2024 were affected.

With the explosion of online services over the last decade, we have become increasingly complacent about the information we post or share with these SaaS platforms. The other troubling trend is how companies take good security practices and turn them into a time-ticking bomb. Taking this incident as an example, face liveliness verification becomes standard for many ID verification services. The question is why the company felt they had the right to retain those images... forever. The same goes for direct messages on their platform.

Taleaways:

• You have no control over what the vendor will do with your data. When signing up or using any SaaS services, assume everything you provide or share with the vendor will be stored and used by the company (potentially indefinitely)
• Generative AI does not help. Assume your interactions with any chatbots (including direct messages) on the vendor site would be stored indefinitely and likely will be used to train (improve) the vendor's model
• Limit your exposure. Ensure that anything you share with the vendor cannot lead to greater exposure if lost. For instance, when I set up a new account and the site asks for password recovery questions/answers, I never give the real answers away. I create random passwords [using a password manager] as answers and store questions and answers I provided in my password vault associated with the site. That way, if the site is compromised, no one knows my real "mother's maiden name" or "school mascot"

Be comfortable with the possibility of losing everything you provide to the vendor, or don't sign up / use the service.

#ALTACyber

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------