Holy shit, developers. We need to talk.

While you were all busy debating whether tabs or spaces make better vibes, a dating safety app called Tea just served up the most spectacular security shitshow of 2025. This is the perfect case study for why “vibe coding” without proper engineering discipline is like performing surgery with a butter knife.
 

The Tea Spillage: A Million Ways to Fail

Let’s set the scene. Tea, touted as a “women’s safety app” where users could anonymously review men they’d dated, went from zero to hero faster than your startup’s burn rate. Within a week in July 2025, it shot to the #1 spot on Apple’s App Store with over 1.6 million users. Women loved it. Men… well, let’s just say they weren’t thrilled about being Yelp-reviewed.

But here’s where the story gets juicy (and not in a good way).

The First Breach: On July 25, 2025, hackers discovered that Tea was using an unsecured Firebase storage bucket—basically leaving the front door wide open with a neon “FREE DATA” sign. They accessed 72,000 images, including 13,000 selfies and government IDs that users submitted for verification. These photos, which Tea’s privacy policy promised would be “deleted immediately” after verification, were instead sitting there like digital sitting ducks.

The Second Breach: But wait, there’s more! Just days later, security researcher Kasra Rahjerdi discovered that Tea’s API keys weren’t properly restricted, allowing anyone with a Tea account to access a database containing 1.1 million private messages. These weren’t just casual chats—we’re talking about conversations discussing abortions, cheating partners, and other deeply personal topics.

The aftermath? Both datasets ended up on 4chan, with some asshole even creating a “facesmash”-style site where visitors could rate the leaked selfies. Two class-action lawsuits followed, and Tea disabled all messaging features.
 

The Vibe Coding Connection: When Feelings Meet Firebase

Now, you might be wondering what this clusterfuck has to do with vibe coding. Everything, my friends.

Vibe coding, popularized by AI researcher Andrej Karpathy in early 2025, is the practice of describing what you want to an AI in plain English and letting it generate code based on your “vibes”. It’s about “fully giving in to the vibes, embracing exponentials, and forgetting that the code even exists”.

Sounds dreamy, right? Like coding while high on productivity podcasts and lo-fi beats. But here’s the reality check: when you “forget that the code even exists,” you also forget about the boring shit that keeps users safe—like proper authentication, data encryption, and not leaving your database wide open to the internet.
 

The Firebase Fuckup: A Master Class in “Just Ship It” Culture

Tea’s technical implementation reads like a vibe coding horror story. The app used Firebase, Google’s mobile backend platform, but configured it about as securely as a screen door on a submarine.

Here’s what went wrong:

Misconfigured Firebase Rules: Firebase doesn’t secure user data by default—developers must explicitly configure security rules for each database table. Tea apparently missed this memo, leaving their data storage with the digital equivalent of .read: true and .write: true for everyone.

Unsecured API Keys: The second breach happened because Tea’s API keys weren’t properly restricted, allowing any authenticated user to access any other user’s data. This is Security 101 stuff, folks.

Legacy Systems: Tea blamed the first breach on a “legacy data storage system” containing information from “more than two years ago” eventhough the app only launched in 2023. That’s some impressive legacy accumulation for such a young startup.

The cherry on top? According to Reddit sleuths, Tea’s founder Sean Cook had only completed a 6-month coding bootcamp before building this app. Nothing against bootcamp grads, but maybe—just maybe—building an app that handles sensitive personal data and government IDs requires a bit more than six months of JavaScript tutorials and good vibes.
 

The Move Fast, Break Things Mentality: When Breaking Things Breaks People

Tea’s security disasters perfectly exemplify what happens when Silicon Valley’s “move fast and break things” philosophy collides with real-world consequences. When Facebook coined this phrase, they had the luxury of breaking news feeds and friend suggestions. When a women’s safety app breaks, it exposes deeply personal information to the worst corners of the internet.

This isn’t just about technical debt or messy code—it’s about fundamental misunderstanding of responsibility. Tea’s attorney in one of the lawsuits said, “I don’t think that this organization intended to violate people’s rights. I think they were just sloppy”. But when you’re handling government IDs and private messages about sexual assault, “sloppy” isn’t an excuse—it’s criminal negligence.
 

The Vibe Coding Trap: Why Intuition Isn’t Enough

Don’t get me wrong—vibe coding has its place. It’s fantastic for prototyping, exploring ideas, and building internal tools where the stakes are low. But it becomes dangerous when developers mistake rapid iteration for production-ready code.

Here’s what vibe coding gets right:

• Rapid Prototyping: Great for testing concepts quickly
• Accessibility: Lowers the barrier to entry for non-technical founders
• Flow State: Keeps developers in creative zones longer

And here’s where it goes horribly wrong:

• Security Blindness: AI doesn’t understand threat models or regulatory requirements
• Architecture Negligence: “Forgetting the code exists” means forgetting about scalability, maintainability, and security
• Testing Amnesia: Vibe coding often skips the boring but crucial parts like comprehensive testing and code reviews
   

The Security Fundamentals: What Tea (and You) Should Have Done

While Tea was busy vibing their way to a data breach, they could have followed basic security practices that have been around since before TikTok existed:

Authentication and Authorization: Implement proper user authentication and role-based access controls. Firebase provides detailed documentation on secure configuration—reading it isn’t optional.

Data Encryption: Encrypt sensitive data both at rest and in transit. Government IDs and private messages should never be stored in plaintext, regardless of how secure you think your database is.

Input Validation: Validate and sanitize all user inputs to prevent injection attacks. This isn’t rocket science—it’s Web Security 101.

Regular Security Audits: Conduct regular security assessments and penetration testing. If you’re handling sensitive data, this should be as routine as your daily standup.

Secure Development Lifecycle: Integrate security considerations into every phase of development. Security isn’t a feature you bolt on at the end—it’s a fundamental requirement.
 

The Real Cost: When Code Meets Consequences

The Tea incident isn’t just another tech failure—it’s a human tragedy. Women used this app to warn others about potentially dangerous men, trusting that their identities would remain anonymous. Instead, their photos, IDs, and private conversations ended up on 4chan, where they became targets for harassment and doxxing.

One lawsuit plaintiff joined Tea specifically to warn other women about a man who had sexually assaulted multiple people in her community. The app “promised her anonymity. It promised her safety. It promised to delete her verification data. Tea broke every one of those promises”.

This is what happens when move-fast-and-break-things meets the real world. The broken things aren’t features or user experiences—they’re lives, safety, and trust.
 

The Path Forward: Responsible Development in the AI Era

As we embrace AI-assisted development and vibe coding, we need to establish new norms that prioritize security and responsibility:

Security-First Vibe Coding: Train AI models to suggest secure coding patterns by default. When a developer asks for user authentication, the AI should suggest MFA and proper session management, not just a basic login form.

Regulatory Awareness: AI coding assistants should understand compliance requirements like GDPR, CCPA, and industry-specific regulations. If you’re building a healthcare app, the AI should know about HIPAA. If you’re handling user data in Europe, it should understand data protection requirements.

Threat Modeling Integration: Before generating code, AI assistants should ask about the threat model. Who are the users? What data are you handling? What are the potential attack vectors?

Code Review Culture: Implement mandatory human review for all AI-generated code, especially anything touching user data, authentication, or external APIs. The human brain is still better at understanding context and consequences.
 

Lessons for Startup Founders: Don’t Be the Next Tea

If you’re a startup founder reading this (especially if you learned to code from a bootcamp and YouTube), here’s your reality check:

Hire Security Expertise Early: Don’t wait until you have millions of users to think about security. A single security engineer hired at the beginning is worth more than an entire incident response team hired after a breach.

Understand Your Liability: When you collect user data, you become responsible for protecting it. This isn’t just a technical challenge—it’s a legal and ethical obligation.

Read the Fucking Documentation: Firebase, AWS, and other cloud providers offer extensive security guides. They’re not suggestions—they’re requirements.

Test Everything: Security testing should be as routine as feature testing. If you can afford to A/B test button colors, you can afford to penetration test your authentication system.

Have an Incident Response Plan: When (not if) something goes wrong, you need a plan. Saying “we’re working with cybersecurity experts” after the fact isn’t a strategy—it’s an admission of failure.
 

The Bottom Line: Vibes Don’t Secure Apps, Engineers Do

Vibe coding is a powerful tool, but like any tool, it can be misused. There’s nothing wrong with letting AI generate boilerplate code or help with rapid prototyping. But when it comes to production applications handling sensitive data, vibes need to give way to rigorous engineering practices.

The Tea app incident serves as a stark reminder that in the age of AI-assisted development, the fundamentals of secure coding haven’t changed. Authentication, encryption, input validation, and proper access controls aren’t old-fashioned concepts—they’re timeless requirements for responsible software development.

As we embrace the future of AI-powered development, let’s not forget the lessons of the past. Security isn’t about vibes—it’s about discipline, expertise, and giving a damn about the people who trust you with their data.

The next time you’re tempted to “embrace exponentials and forget that the code even exists,” remember Tea. Remember the women whose photos ended up on 4chan. Remember that behind every line of code are real people with real lives who deserve better than our good intentions and terrible execution.

Code with vibes if you want, but ship with security. Your users—and your lawyers—will thank you.