Emanuel Maiberg and Joseph Cox, reporting again for 404 Media:

Despite Tea’s initial statement that “the incident involved a legacy data storage system containing information from over two years ago,” the second issue impacting a separate database is much more recent, affecting messages up until last week, according to the researcher’s findings that 404 Media verified. The researcher said they also found the ability to send a push notification to all of Tea’s users.

It’s hard to overstate how sensitive this data is and how it could put Tea’s users at risk if it fell into the wrong hands. When signing up, Tea encourages users to choose an anonymous screenname, but it was trivial for 404 Media to find the real world identities of some users given the nature of their messages, which Tea has led them to believe were private. Users could be easily found via their social media handles, phone numbers, and real names that they shared in these chats. These conversations also frequently make damning accusations against people who are also named in the private messages and in some cases are easy to identify. [...]

Some of the private messages viewed by 404 Media include:

• One user tells another they just discovered their husband on the app being discussed. “I am his wife,” many of the messages say.
• Another appears to show a woman contacting others about a man she is engaged to.
• Multiple messages which appear to show women discussing their abortions.
• Chat logs between women discovering they are dating the same man, exchanging information such as what car he drives for verification.

When I linked to 404 Media’s coverage of the initial breach at Tea the other day, I wrote, “I’m not accusing Tea in particular of being vibe-coded”. Well, I still don’t know if Tea’s service architecture was vibe-coded, but it’s now clear that whoever made it was shamefully incompetent. They shouldn’t have made any sort of services backend, let alone one like Tea’s that’s intended to carry incredibly sensitive personal information and messages.

This is an outright privacy — and quite possibly, personal security — disaster. With the abortion discussions and the current bifurcation of women’s rights here in the US, it could be a legal disaster, too. 4chan clowns have taken the images and data and created maps of Tea users’ addresses, and a Mark-Zuckerberg-“Facemash”-style site for ranking users’ appearance.

For women who’ve already signed up and started using Tea, I doubt there’s anything that can be done to remove them from exposure. Even if Tea offers a “delete your account” feature, I wouldn’t trust that it actually deletes anything from their database, let alone everything. And the cat’s already out of the bag for any bad actors who figured out this second exploit before Tea was alerted.

Yet another data point for the argument that any “private messaging” feature that doesn’t use E2EE isn’t actually private at all.

One of the best indie weather apps just got a major overhaul for 2025, and it’s worth checking out.

Hello Weather is well known for its simple, friendly design, but the new update rounds it out with more depth and customization.

You’ll get beautiful new visuals for wind, UV, future forecasts, and more, all powered by the finest data on Earth. With its excellent widgets, Watch app, and notifications, you’ll always stay up to date.

Hello Weather also respects your privacy, with no tracking or ads in sight. It’s a customer-focused app, made with care.

Download Hello Weather and start a 7-day free trial.

From this paywalled report at Punchbowl News, as quoted by Taegan Goddard at Political Wire:

“The Senate GOP campaign arm is warning that Apple’s new iOS update could cost them $25 million in fundraising revenue, as well as priceless GOTV opportunities,” Punchbowl News reports.

Here’s a copy of the original memo from the NRSC (National Republican Senatorial Committee). What they’re freaking out about is the new iOS 26 Messages feature (which will be available in Messages on iPadOS and MacOS 26 too — but because these messages are sent as SMS and because the iPhone is so many people’s primary or sole messaging device, it’s the platform they’re focusing on) that will automatically sort messages from unknown senders into a new “Unknown Sender” inbox.

Quoting from the NRSC letter (emphasis in original):

Apple’s iOS 26 update introduces aggressive message filtering. Political texts — even from verified and compliant senders-will be treated as spam by default, silently sent to an “Unknown” inbox with no alerts or notifications. That change has profound implications for our ability to fundraise, mobilize voters, and run digital campaigns.

It’s important to understand: Apple isn’t just targeting cold outreach or spammy actors. Every political message — shortcode, long code, doesn’t matter-gets pushed into the dark. The only workaround-getting a voter to reply — is increasingly rare and entirely at the mercy of Apple’s unclear rules. How will a voter reply if they never get the message?

Apple’s “rules” for this new feature aren’t unclear at all. If a sender is not in your saved contacts and you’ve never sent or responded to a text message from them, they’re considered “unknown”. That’s it. The feature isn’t even really new — you’ve been able to filter messages like this in Messages for years now, but what iOS 26 changes is that it now will be on by default and has a new more prominent — better, IMO — interface for switching between filter views. Update: I was wrong that this filtering will be on by default in iOS 26 — I was fooled because I had previously enabled “Filter Unknown Senders” in Settings → Apps → Messages → Unknown & Spam (which you need to scroll down quite a bit to get to). I do think, though, that many more iOS users will be using this feature starting with iOS 26 — it’s both better designed and less hidden.

Back to the NRSC letter:

Here’s the shift in practice. Today, a voter with an iPhone gets our message just like a normal text. In iOS 26, unless that person has already replied, our message is silently sent to the “Unknown” inbox. No ping, no badge, just buried in an inbox few people ever check.

We’ve spent years complying with rigorous standards — providing full documentation, opt-in proof, and message samples via Campaign Verify and The Campaign Registry — yet Apple ignores that. Carriers respect it. Apple doesn’t.

Estimated prospecting losses: NRSC alone could see a $25M+ revenue hit. Since 70% of small-dollar donations come via text, and iPhones make up 60% of US mobile devices, the macro effect could be over $500M in lost GOP revenue. [...]

Unfortunately, K St and trade groups are asleep at the wheel. Apple isn’t engaging. But we have only a few weeks left before the public release. If we’re going to push back, it has to be now. We have a very narrow window to fix this.

“Unknown Senders” isn’t spam. It’s for ... unknown senders. Which these political texts are. I don’t know anyone who enjoys getting these texts in their primary timeline of messages. What the NRSC is asserting here is that they have a right to put political solicitations in your primary Messages view, and to have them appear as notifications, which is ridiculous.

Also, there’s no reason to believe that Republican candidates and groups will be more affected by this than Democratic ones. There’s no filtering by message content. It’s just a change to stop sending notifications for texts from unknown senders, and to put those messages in a separate timeline by default. People will check the Unknown Senders timeline occasionally too — all sorts of text messages from bots will go there, including some you want or need.

EFF: The U.K. Parliament has passed the Online Safety Bill (OSB), which says it will make the U.K. “the safest place” in the world to be online. In reality, the OSB will lead to a much more censored, locked-down internet for British users. The bill could empower the government to undermine not just the privacy […]

Apple (MacRumors): The age rating system for apps and games has been updated in order to provide people with more granular age ratings. We’ve also introduced new age rating questions to help identify sensitive content in your app and added the ability to set a higher rating to reflect your app’s minimum age requirement. […] […]