What happened to RubyGems, Bundler, and the Open Source drama that controls the internet infrastructure.#Features
How Ruby Went Off the Rails
For the past couple of weeks, a community of developers who use the programming language Ruby have been closely following a dramatic change in ownership of some of the most essential tools in its ecosystem with far reaching impacts for the worldwide web.If you’re not familiar with Ruby or the open source development community, you probably haven’t heard about any of this, but the tools in question serve as critical infrastructure for gigantic internet services like GitHub, Shopify, and others, so any disruption to them would be catastrophic to those companies, their users, and vast swaths of the internet.
On September 19, Ruby Central, a nonprofit organization that manages RubyGems.org, a platform for sharing Ruby code and libraries, asserted control over several GitHub repositories for Ruby Gems as well as other critical Ruby open source projects that the rest of the Ruby development community relies on. A group of open source developers who had contributed to those projects and maintained them for years had their permissions suddenly revoked. When these developers announced on social media that their access was taken away, many Ruby developers saw the decision as a betrayal of their years-long contributions to the Ruby ecosystem and open source principles more generally. Others accused Ruby Central of succumbing to corporate pressure from companies like Shopify, which they claimed wanted more control over the project.
In some ways, this whole affair is an example of why this stuff gets really messy when people start getting paid
I’ve spent the last week talking to people who had direct involvement with Ruby Central’s decision, the contributors who were ousted, and developers in the Ruby community. I’ve heard accusations of greed, toxic personalities, and stories about years-long feuds between people, at times in open disagreement, who ultimately govern some of these important open source tools.RubyGems.org and other critical Ruby tools have so far not been interrupted during this transition, but the incident sheds light on a basic truth about the internet and open source development: Much of the technology we use every day and take for granted is being maintained by a small number of developers who are not compensated for that work or get paid very little when compared to salaries at big tech companies. Open source development continues to make much of the internet possible, but as some of these tools become more important and financially valuable, they’re subject to more scrutiny and pressure from the community, organizations, and companies that rely on them.
“In some ways, this whole affair is an example of why this stuff gets really messy when people start getting paid, and once you start introducing formal organizations and employees and nonprofits and lawyers and all this kind of complexity,” Mike McQuaid, developer of the popular package manager Homebrew, which is built with Ruby, told me. McQuaid has talked to and offered to mediate between Ruby Central and the ousted maintainers. “This is a textbook case of what happens when there's this conflict between what companies want, what nonprofit individuals want, how much responsibility people have when they take money, who gets control and when. How much democracy versus just ‘I have the power to do something, therefore I'm going to do it.’”
With Ruby developers can download and use self-contained packages of code that add different functionalities to a Ruby project. These packages are called gems, and are distributed primarily via RubyGems.org, where developers can upload gems they’ve developed or download gems from other developers.
The ability to download gems and plug them into different projects is very useful and convenient for Ruby developers, but can create complications. Different gems are developed by different teams and are updated at different times with bug fixes and new features, and might not necessarily be compatible or play well with one another as they evolve.
This is where Bundler comes in. As its website explains, “Bundler provides a consistent environment for Ruby projects by tracking and installing the exact gems and versions that are needed.” So, for example, if a developer is building a Ruby project and wants to use gems X, Y, and Z, Bundler will pull the versions of those gems that are compatible with one another, providing developers an easy solution for what Bundler describes as “dependency hell.”
Bundler is an open source project that was initially developed by Yehuda Katz, but the GitHub repository for the project was created and was administrated by André Arko. In 2015, Arko also founded a nonprofit trade organization named Ruby Together, which raised funds from developers and companies that use Ruby in order to maintain Bundler and other open source tools.
I will not mince words here: This was a hostile takeover
RubyGems.org, the site and service, is governed by Ruby Central, a nonprofit founded in 2001, which also organizes several Ruby conferences like RubyConf and RailsConf. In 2022, Arko’s Ruby Together and Ruby Central merged, “uniting the Ruby community’s leading events and infrastructure under one roof,” according to Ruby Central’s site. Bundler’s and RubyGems.org’s work often overlapped both in their goals and the developers who worked on them, but operated across two different GitHub organizations, each with its own repositories. To streamline development of these open source projects, Bundler also joined the Ruby Gems GitHub organization in 2022.In 2023, Ruby Central established the Open Source Software Committee, which according to its site oversees RubyGems, Bundler, and RubyGems.org, focusing on infrastructure stability, security, and sustainability.
A confusing and central point of disagreement between Ruby Central and the maintainers it ousted on September 19 is rooted in the merging of Ruby Together and Ruby Central and the difference between Rubygems.org the service, essentially an implementation of the Ruby Gems codebase on an AWS instance, which both parties agree Ruby Central owns and operates, and the Ruby Gems the codebase that lives in the same GitHub organization as Bundler.
According to a recording of a mid-September Zoom meeting which I obtained between Marty Haught, Ruby Central’s Director of Open Source, Arko, and the other ousted contributors, Ruby Central maintains that the codebase and GitHub organization became its responsibility when Ruby Central merged with Ruby Together in 2022. The ousted contributors’ position is that members of Ruby Central, like Haught, can be owners of the GitHub organization, but that ownership of the RubyGems codebase and other projects in the GitHub organization belong to the contributors, who don’t have a detailed governance model but historically have governed by consensus.
Arko made this argument to me in a recent interview, but also outlined that argument in a blog post, where he also shared the merger agreement between Ruby Central and Ruby Together. It shows that Ruby Together would dissolve and that Ruby Central would be in charge of raising and allocating funds for development, but does not explicitly say Ruby Central takes ownership of the RubyGems and Bundler projects or the GitHub organization.
To make matters even more complicated, Arko was at once a contributor to these open source projects, a contributor to RubyGems.org the service, an owner of the GitHub organization, and an advisor to Ruby Central’s Open Source Software Committee.
In May, Arko resigned his position as an advisor to Ruby Central’s Open Source Software Committee, but continued his work as a contributor. Arko told me he resigned his advisory role because of Ruby Central’s last minute invitation of David Heinemeier Hansson, better known online as DHH, as a keynote speaker at RailsConf.
Arko told me he objected to that decision because of DHH’s “horrifying, racist, misogynist, politics” and DHH’s “personal vendetta” against him. In 2021, back at Motherboard, we reported that many employees at DHH’s company, Basecamp, quit after his decision to ban any discussion of politics at work, which many employees saw as squashing discussion about race, bias, and diversity. Arko told me that DHH’s “personal vendetta” against him stemmed from Arko not wanting to support a certain feature DHH wanted added to Bundler, after which DHH demanded Arko be removed from the Ruby Together board.
The current controversy erupted on social media on September 19, when one contributor to the open source projects in the RubyGems and Bundler GitHub organization, Ellen Dash, announced that Haught, Ruby Central’s Director of Open Source, revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams. At that moment, their permissions and access to the GitHub organization were revoked, meaning they could no longer make any changes or contributions to the code, and Haught, representing Ruby Central, took control.
“I will not mince words here: This was a hostile takeover,” Dash said in a public “goodbye” letter they shared online. “I consider Ruby Central’s behavior a threat to the Ruby community as a whole. The forceful removal of those who maintained RubyGems and Bundler for over a decade is inherently a hostile action. Ruby Central crossed a line by doing this.”
The news was seen by many developers in the Ruby and open source community as betraying the dedication and labor that Dash, Arko, and other maintainers put into these tools for years.
Ruby Central, meanwhile, describes the move as one centered around security.
“With the recent increase of software supply chain attacks, we are taking proactive steps to safeguard the Ruby gem ecosystem end-to-end,” Ruby Central said in an explanation of its decision. “To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed. This includes both our production systems and GitHub repositories. In the near term we will temporarily hold administrative access to these projects while we finalize new policies that limit commit and organization access rights. This decision was made and approved by the Ruby Central Board as part of our fiduciary responsibility. In the interim, we have a strong on-call rotation in place to ensure continuity and reliability while we advance this work. These changes are designed to protect critical infrastructure that power the Ruby ecosystem, whether you are a developer downloading gems to your local machine [or] a small or large team who rely on the safety and availability of these tools.”
404 Media has covered the kind of recent supply chain attacks targeting open source projects that Ruby Central is referring to. Earlier this month, a critical JavaScript development tool Node Package Manager (NPM), was targeted by a similar supply chain attack. But not everyone in the Ruby development community bought the explanation that security was at the heart of the recent moves. One reason for that is a public statement from a Ruby Central board member and treasurer Freedom Dumlao.
On Substack, Dumlao apologized for the sudden change and how it was communicated.
“If Ruby Central made a critical mistake, it's here,” he wrote. “Could these conversations have been happening in public? Could the concerns we were hearing from companies, users and sponsors have been made more apparent? Probably. But I remind you we don't have a ‘communications team’, no real PR mechanism, we are all just engineers who (like many of you I'm sure) go heads down on a problem until it's solved.”
Dumlao reiterated that RubyGems and Bundler are critical infrastructure that are now increasingly under the threat of supply chain attacks, and said that the companies that rely on them “count” on Ruby Central do everything it can to keep them and their users safe.
However, Dumlao also said that Ruby Central was under “deadline” to make this change.
“Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going,” Dumlao wrote.
In a September 22 video message in response to criticism about its decision to remove maintainers, Ruby Central’s executive director Shan Cureton described a similar dynamic. She said “sponsors and companies who depend on Ruby tooling came to us with supply chain concerns” and that “Our funding and sponsorships are directly tied to our ability to demonstrate strong operational standards. Without those standards in place, it becomes harder to secure the support needed to keep maintainers paid, organize events, and provide resources for developers at every stage of their journey.”
Since Shopify is one of the primary sponsors and funders of Ruby Central, this led some in the Ruby community to believe that Shopify was exerting pressure on Ruby Central to make this change.
“That is not how it happened, and I wish I had been more careful with my wording in that blog post,” Dumlao told me in a Linkedin message when I asked him if Ruby Central was under pressure from Shopify to make these changes.
I just don't think that there's any other plausible explanation than Shopify demanded this.
After I gave Dumlao my number so we could do a phone interview, I got an email from Cindi Sutera, who was recently brought on as a spokesperson for Ruby Central."Ruby Central’s mission is to keep the infrastructure that Rubyists rely on stable, safe, and trustworthy,” she told me. “As part of a routine review following organizational changes, we identified a small number of accounts whose privileges no longer matched current role requirements. The Board voted that it was imperative to align access with our privilege policy to keep the infrastructure that the Ruby community depends on stable. This is our mission.”
Sutera said that the board approved “a temporary administrative hold on certain elevated permissions” while it finalized operator agreements and governance roles.
“To move quickly and transparently, we imposed a clear deadline to complete operator agreements and close gaps,” she said. “We could have communicated earlier that we felt it necessary to move quickly and wish we could have given the community more time to prepare for this action. And now, here we are committed to completing this transition for the stability and security of the Ruby Gems supply chain. More updates are coming as we work through security protocols and stabilization efforts.”
“There’s literally only one company providing the money that is keeping Ruby Central open, and it is Shopify,” Arko told me. “And so I just don't think that there's any other plausible explanation than Shopify demanded this.”
When I asked Arko why he thought Ruby Central removed him, if it wasn’t for security reasons, Arko said: “totally unprovable speculation is Shopify’s CEO is best friends with DHH, who hates me.” DHH is also a Shopify board member.
“Thanks for the invitation, but not my place to weigh in a lot on this while they're working through these changes,” DHH told me in an email when reached for comment. “But I support them taking steps to secure and professionalize the supply chain work they're doing.”
Shopify did not reply to a request for comment.
As this episode spread on social media, I talked to several people associated with Ruby Central who told me the board was acting in the interest of the RubyGems and the Ruby community. Two sources who asked for anonymity for fear of retaliation said that Arko was difficult to work with, questioned how he used funds raised by Ruby Together, and claimed that a new Ruby version manager he’s working on, rv, means he has a conflict of interest with his work on RubyGems and Bundler.
Arko acknowledged to me he heard he’s been difficult to work with in the past. He said that sometimes he’s been able to reach out to people directly and resolve any issues, and that sometimes he hasn’t. He rejected the other allegations, and said that Ruby Together’s financials have always been public.
“It has always been fully public, and the amount has been fixed at $150 an hour for 10 years,” he said, referring to the amount contributors got paid to work on Bundler. Arko added that nobody has ever been paid for more than 20 hours a week, and that the most he’s been able to raise in a single year is $300,000 to pay eight different contributors. “Nobody has gotten a raise for 10 years.”
"As a matter of policy, we don’t discuss individual personnel,” Sutera, the Ruby Central spokesperson, said when I asked if Arko was removed from the GitHub organization because of his previous behavior. “Our recent actions were organization-wide governance measures aimed at aligning access with policy. Our priority is maintaining a stable and secure Ruby Gems supply chain."
McQuaid, the developer of Homebrew and who followed the controversy, told me that even Arko’s harshest critics wouldn’t deny the contributions he’s made to the Ruby community over the years.
Regarding Arko’s blog post about his removal, McQuaid told me it’s good that Arko is crediting other people for their contribution and that he’s following open source principles of community and transparency, but that “his ‘transparency’ here has been selective to things that benefit him/his narrative, he seems unwilling or unable to admit that he failed as a leader in being unwilling or unable to introduce a formal governance process long before this all went down or appoint a meaningful successor and step down amicably.”
The fundamental disagreement here is about who “owns” the GitHub organization that houses Bundler and RubyGems. Technically, Ruby Central was able to assert control because Hiroshi Shibata, a member of the Ruby core team and one of the contributors who has owner-level permissions on the GitHub, made Haught, who revoked the others’ access, an owner as well. Any owner can add or remove any other owner, but when Ruby Central’s board voted to make this change Haught acted immediately and removed Arko, Dash, and others.
However, Arko fundamentally disagrees with the premise that Ruby Central has the right to govern the GitHub organization in any way, and believes that it has always belonged to the group of contributors who had access up until September 19.
Arko said that even if Ruby Central gave him his permissions back, he would not consider the matter resolved until Ruby Central stopped claiming it owns Bundler “but I am definitely not going to hold my breath for that one.”
“When people really care, they're passionate and they're enthusiastic and they argue, and that often looks like drama,” McQuaid, the developer of Homebrew, said when I asked what he thinks this entire affair says about the state of open source development. “But if I had to pick between having the enthusiasm and the drama or losing both, then I'd probably pick the enthusiasm and the drama, because in some ways, the system is somewhat self correcting. Even the stuff that's going on right now, people are having essentially a very public debate about what role do large companies or nonprofits or individual maintainers have in open source. To what extent does someone's level of contribution matter versus what type of person they are? I think these are valuable discussions to be having, and we're having them in the open, whereas if it was in a company, this would all be in a meeting room or with an HR department or in a leadership offsite or whatever.”
A board member's perspective of the RubyGems controversy
What a week it's been as a Ruby Central Board Member.Freedom Dumlao (Freedom’s Substack)
How the iconic looping video of a studying anime girl and stream of chill music became a big business.#Features
How Lofi Girl Became a Chill Beats Empire
Tens of thousands of people, at any given time, are idly listening to the ambient, muted beats that accompany the Lofi Girl livestream: in solo studying sessions, taking tests in a classroom, and using the tunes as a stand-in for white noise to aid sleep. The livestream, which is one of the longest running live broadcasts on YouTube, is often hiding in browser tabs, leaving the perpetually busy Jade (the Lofi Girl) to lazily take her notes behind whatever Wikipedia page or spreadsheet you’ve got open. But she is always there, the googly eyes stuck to her headphones wobbling as she looks up from her notes, to peek in on, to study with, or to chill to—the details of the music become secondary to the vibe.From a single livestream that’s been running in some form since 2017—the YouTube channel, which was started in 2015, was called ChilledCow before the iconic rebrand—Lofi Girl has grown into an empire. To put that growth into perspective, ChilledCow had 1.6 million YouTube subscribers in 2018, a number that grew to 5 million in 2020. Now, the channel has more than 15 million subscribers. The soundtrack of Lofi Girl’s brand of chill is pervasive, and the ubiquity of her aural and physical aesthetic made Jade a big business, her essence seeping into wider culture; Nissan harnessed the vibe to sell its electric car, Will Smith to sell hoodies, and even U.S. president Donald Trump in a maniacal attempt to sell his administration’s “Big Beautiful Bill.” Lofi Girl—the company—leverages its influence itself, expanding from simply a YouTube channel into an advertising arm, merchandising enterprise, and full blown record label.
To reach this success over the past 10 years, Lofi Girl has had to adjust. Its success in making music that’s appealing to everyone changed the kind of music that’s coming out of the channel. While Lofi Girl once firmly fit within the genre of lofi hip hop, known for pairing relaxed—but still thumping—beats with nostalgic sound samples, its music has largely dropped the hip hop. Lofi Girl's music is now simply its own genre: lofi, where the soft, tonal consistency means it can be hard for the average listener to even see its works as distinct songs. The drum beats of the "chill beats to relax/study to" sometimes even take a backseat to the rounded, flighty melodies Dr. Jenessa Williams, a music and fan culture researcher at Stanford University, called Lofi Girl a “deeply valued background noise community.”
“Music consumption is shifting,” a Lofi Records label manager, who goes by Berrkan Bag online, told 404 Media in an email. “Short-form and scroll-driven platforms have changed how people engage with lo-fi. Some of the long-form, narrative visuals that helped define the genre are being challenged by algorithmic trends.”
He added that lofi itself is maturing as the genre redefines “itself between functional background music and meaningful creative expression.”
March marked 10 years since creator Dimitri Somoguy started the ChilledCow YouTube channel that would eventually become Lofi Girl. It started as a place to broadcast lofi hiphop beats, set to a looping video clip of Shizuku Tsukishima, the young girl protagonist from Studio Ghibli’s 1995 animated film Whisper of the Heart. The stream was taken down in 2017 over copyright concerns over the character’s usage, and that’s where Jade came from: ChilledCow hired Colombian artist Juan Pablo Machado to create an original character. Jade’s been the face of lofi beats on YouTube since, and so it makes sense the channel was renamed from ChilledCow to Lofi Girl in 2021. The current stream started in July 2022, making this particular broadcast one of the longest running livestreams on YouTube. The record would have been longer if it weren’t for a Digital Millennium Copyright Act takedown notice from 2022 that forced the Lofi Girl YouTube channel to go dark. (YouTube later called the DMCA notice “abusive.”)
Lofi Girl has never been the only place with beats to study or relax to—a genre that’s since become both a phenomena and a meme: Actor Will Smith has chill beats to quarantine to; Chillhop Music, which precedes even ChilledCow, has chill beats to farm Elden Ring runes to; you can even study with Waluigi—for more than 11 hours!—to the sound of somewhat chaotic lofi hip-hop. The aesthetic popularized by Lofi Girl is a mixture of muted, anime clips with music that’s engaging enough without distracting from whatever task a person is doing in the background. The Lofi Girl channel, as a whole, is by far the most popular place for lofi music, and has been for a while.
Today, there are more than a dozen streams of different lofi themed music running concurrently, several of which have thousands of people listening at any given time. Dozens of YouTube videos, both branded content and an emerging narrative about Jade and a new character, Synthwave Boy, a neighbor whose intertwined story is slowly unravelling over short videos. The company, which has about 20 employees, not including its hundreds of collaborators, according to a Lofi Girl representative, expands from there. Lofi Records is the in-house record label that’s published thousands of songs on its YouTube channel and on vinyl. Lofi Studio, an art team that makes Lofi Girl’s branded content, pumps out regular collaborations and brand deals. And then there's Lofi Girl Shop, which sells, among other things, vinyl records, a recreation of Synthwave Boy’s bomber jacket and purple beanie, and a plush orange cat. Lofi Girl is expanding into gaming, too. Lofi Girl has three official Fortnite maps: one in which you can, dressed as Darth Vader or Peely Bone, walk about a recreation of Jade’s bedroom; another that’s a Lofi Girl simulator; and a third that’s a parkour game called Only Up.
It’s no coincidence that the Lofi Girl channel blew up exponentially during the pandemic. People were spending a lot of time online, of course, but the channel offered a predictable constant. The music even edges on sleepy. YouTube creator Peter Tagg told 404 Media he has it playing for hours in the background multiple days a week—it's a salve that's beneficial for studying and even as a sleep aid. It’s always there, and the music is curated in such a way that you’re never really surprised by what you’re hearing, which can be comforting and not distracting. Williams, the music researcher, told 404 Media that Lofi Girl's aesthetic taps into "the psychology of productivity mirroring," which is a technique in which people motivate themselves to do a task by having another person around.
Williams says the music itself can often become secondary to the familiar, comforting vibe for Lofi Girl listeners. “Lofi Girl appeals most to young music fans who love and consume lots of different kinds of music, but appreciate the Lofi Girl specifically because it gives them something predictable in an evermore chaotic world,” she said. “Musical discovery via the Lofi Girl is certainly possible, but you’re unlikely to encounter anything truly surprising or cortisol-spiking, and I think—whether one sees this as a positive or not—that's why it has become so popular.”
Lofi music was originally more hip hop than anything else, popularized by two artists in particular: J Dilla and Nujabes. It’s a genre defined by nostalgia, drum beats, and melancholy sound—but as Lofi Girl, the channel, got more popular, the hip hop influence started to slide away in favor of reverb-heavy, ethereal music with simple drum beats. Producer and Lofi Girl collaborator Phil Morris Lesky, who publishes under the name Lesky, told 404 Media that the music he creates for Lofi Girl, specifically, is “more its own thing now. The rhythm section takes a little bit of a backseat. It’s more about arrangement.”
Though it clearly resonates with a mainstream audience, some in the lofi hip hop community criticize Lofi Girl for its role in anonymizing the music and stripping out its hip hop influence. Another Lofi Girl collaborator, who asked to remain unnamed as to not jeopardize an ongoing relationship with the brand, likened it to Muzak—a brand of background music designed to be unobtrusive for use in retail stores. “That’s kind of what happened with lofi music,” they said. “It’s no longer artists making sounds they want, rather, it’s a record label trying to curate an experience for, like, coffee shops.” (One prominent lofi hip hop musician, bsd.u, cheekily criticized lofi streams like Lofi Girl with a song called “all my homies hate 24/7 lofi streams.”)
This collaborator said Lofi Girl has a Discord server for musicians, and that’s where the company solicits music for its livestream. Often, Lofi Girl asks musicians to write to a specific theme—be it medieval, Halloween, synthwave, or for the vague “asian” radio channel, just make it lofi. The company often provides a playlist of music to emulate, they say. Then, a musician can submit music to Lofi Girl in hopes it gets chosen. Lesky and lofi producer Julien Pannetier, who goes by VIQ, aren’t bothered by the themed submission system. Lesky said it's easy to know exactly what the label is looking for. No guesswork involved. There’s less creative freedom, Pannetier told 404 Media, “but that can also be a driving force.”
The aforementioned anonymous Lofi Girl collaborator doesn't see it that way: “It’s really a policing of aesthetics and sounds that keeps artists from actually taking creative risks.”
It’s designed to be palatable to everyone. “The whole livestream on YouTube, the playlist growth on Spotify, without any judgement or critique, is creating a homogeneous sound that’s basically easily categorized,” Lesky said. “People understand it quickly. It’s really search engine-optimized. They have a huge influence.”
What this adds up to is big business for Lofi Girl. A YouTube channel of Lofi Girl’s size alone can bring in millions of dollars a year from YouTube’s ad revenue program. (Though Lofi Girl’s live streams aren’t interrupted by ads like lots of YouTube videos, they’re preceded by them. That, plus ads on dozens of other videos on the Lofi Girl channel that aren’t livestreams make a ton of money.) The popularity of the channel, and its ability to harness a vibe that resonates with everyone, is what’s driving Lofi Girl’s successful push into advertising. Over the past few years, Lofi Studio has been hired to create branded content that pulls a piece of the respective company into the Lofi Girl world. Lofi Girl’s marketing studio created a one-hour YouTube video created for Alien: Isolation, butinstead of Jade and her bedroom, it’s an alien on an anime-rendered spaceship, complete with Jones the cat perched at Nostromo’s window. For Lofi Studio’s Starfield collab, the company remixed the Microsoft game’s soundtrack, and set the video in a cozy little starship. No cat, but the robot does have its own cozy cup of coffee.
It works so well that other brands are trying to mimic the aesthetic.
Nissan debuted a four-hour YouTube video in 2023 to advertise its electric car Ariya. Its inspiration is obvious, swapping Jade for a dark-haired woman in a leather jacket who’s vibing to lofi beats from a car instead of a bedroom. None of this was created by Lofi Studios. Advertising company The Mayda Creative Co. and animation studio Titmouse created the YouTube video and its art, but ran the ads on Lofi Girl content. It’s got more than 18 million views. Will Smith’s quarantine beats slapped on, or, if you’re less generous, ripped off the aesthetic of Lofi Girl in this way. Dr. Steven Gamble, lecturer of digital humanities at the University of Southampton who writes about hip hop and the internet, told 404 Media that Smith’s fashion brand Bel-Air Athletics posted the video as Lofi Girl was taking off during the pandemic. “When things are popular and there’s an audience that has commercial potential, that’s what people do,” he says. Smith and Bel-Air Athletics positioned the video as "chill beats to quarantine to"—but it’s really “chill beats to buy his hoodies to,” Gamble told 404 Media. Nissan and Smith did not respond to a request for comment.
The big difference, though, is that Smith’s chill beats are seemingly as low effort as possible, just licensing some existing music. Lofi Girl’s amalgamation of companies makes it so the company’s team of 20 employees (and hundreds of contracted musicians and artists) can do most everything in house, then hire artists to create the music central to its channels. That often benefits the musicians who drive the Lofi Girl channel, three artists that spoke to 404 Media said. The artists declined to share specifics, but said that Lofi Girl’s rates are standard for the industry. The money Lofi Girl musicians get isn’t from the ad revenue tied to the YouTube channel, but from the playlists it hosts on places like Spotify and Apple Music.
Lesky said the “playlist power and ecosystem behind the brand” drives a lot of exposure to his music. “I just really appreciate the opportunity the label and channel has given me from the beginning,” he said. “They were one of the first outlets that shared my music and it kicked off from there. It kicked off a career that sustained me for years now.”
The New York Times, in 2018, declared that 24/7 channels like ChilledCow and Chillhop Music were “unlikely to have a broad impact on the music industry,” representing “an underground alternative to the streaming hegemony of Spotify and Apple Music.” They were wrong. Lofi Girl’s core audience might not be able to name a single artist broadcast during a livestream (even if it is driving listeners to Spotify and paying dividends for artists). They may not have even known Lofi Girl has a name. But Lofi Girl is hardly underground. The company signed an administrative publishing deal with Warner Music Group in 2024, putting Warner in charge of licensing, royalties, copyright and other admin work. (Still, Pannetier said his experience with Lofi Girl was the opposite of the wider music industry, which he described as “very closed off and elitist.”)
For better or for worse—it all depends on who you’re asking—Lofi Girl is no longer the “pirate radio station” that took over YouTube in 2018. Lofi Girl is no longer just your study buddy. She’s an enterprise.
Correction: This article previously linked to a study published in Scientific Research Publishing. We've removed that link because the journal doesn't meet our editorial standards.
WARNER CHAPPELL MUSIC FRANCE SIGN ADMIN PUBLISHING DEAL WITH LOFI RECORDS - Warner Music Group
Warner Chappell Music France, the music publishing arm of Warner Music Group,. . .WCM Communications (Warner Music Group)
“Kia Boys will be Flipper Boys by 2026,” one person in the reverse engineering community said.#Features
Inside the Underground Trade of ‘Flipper Zero’ Tech to Break into Cars
A man holds an orange and white device in his hand, about the size of his palm, with an antenna sticking out. He enters some commands with the built-in buttons, then walks over to a nearby car. At first, its doors are locked, and the man tugs on one of them unsuccessfully. He then pushes a button on the gadget in his hand, and the door now unlocks.The tech used here is the popular Flipper Zero, an ethical hacker’s swiss army knife, capable of all sorts of things such as WiFi attacks or emulating NFC tags. Now, 404 Media has found an underground trade where much shadier hackers sell extra software and patches for the Flipper Zero to unlock all manner of cars, including models popular in the U.S. The hackers say the tool can be used against Ford, Audi, Volkswagen, Subaru, Hyundai, Kia, and several other brands, including sometimes dozens of specific vehicle models, with no easy fix from car manufacturers.
💡
Do you know anything else about people using the Flipper Zero to break into cars? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.These tools are primarily sold for a fee, keeping their distribution somewhat limited to those willing to pay. But, there is the looming threat that this software may soon reach a wider audience of thieves. Straight Arrow News (SAN) previously covered the same tech in July, and the outlet said it successfully tested the tool on a vehicle. Now people are cracking the software, meaning it can be used for free. Discord servers with hundreds of members are seeing more people join, with current members trolling the newbies with fake patches and download links. If the tech gets out, it threatens to supercharge car thefts across the country, especially those part of the social media phenomenon known as Kia Boys in which young men, often in Milwaukee, steal and joyride Kia and Hyundai cars specifically because of the vehicles’ notoriously poor security. Apply that brazeness to all of the other car models the Flipper Zero patches can target, and members of the car hacking community expect thieves to start using the easy to source gadget.
Upgrade to continue reading
Become a paid member to get access to all premium content
Upgrade
A 404 Media investigation reveals how the man who started Tea, the ‘women dating safety’ app, tried to hire a female ‘face’ for the company and then hijack her grassroots community.#Features
How Tea’s Founder Convinced Millions of Women to Spill Their Secrets, Then Exposed Them to the World
On March 16, 2023, Paola Sanchez, the founder and administrator of Are We Dating the Same Guy?, a collection of Facebook groups where women share “red flags” about men, received a message from Christianne Burns, then fiancée of Tea CEO and founder Sean Cook.“We have an app ready to go called ‘Tea - Women’s Dating Community’, that could be a perfect transition for the ‘Are we dating the same guy’ facebook groups since it sounds like those are on their way under… Tea has all the safety measures that Facebook lacked and more to ensure that only women are in the group,” Burns said. “We are looking for a face and founder of the app and because of your experience, we think YOU will be the perfect person! This can be your thing and we are happy to take a step back and let you lead all operations of the product.”
The Tea app, much like the Are We Dating the Same Guy Facebook groups, invites women to join and share red flags about men to help other women avoid them. In order to verify that every person who joined the Tea app was a woman, Tea asked users to upload a picture of their ID or their face. Tea was founded in 2022 but largely flew under the radar until July this year, when it reached the top of the Apple App Store chart, earned glowing coverage in the media, and claimed it had more than 1.6 million users.
Burns’ offer to make Sanchez the “face” of Tea wasn't the first time she had reached out to her, but Sanchez never replied to Burns, despite multiple attempts to recruit her. As it turned out, Tea did not have all the “safety measures” it needed to keep women safe. As 404 Media first reported, Tea users’ images, identifying information, and more than a million private conversations, including some about cheating partners and abortions, were compromised in two separate security breaches in late July. The first of these breaches was immediately abused by a community of misogynists on 4chan to humiliate women whose information was compromised.
A 404 Media investigation now reveals that after Tea failed to recruit Sanchez as the face of the app and adopt the Are We Dating the Same Guy community, Tea shifted tactics to raid those Facebook groups for users. Tea paid influencers to undermine Are We Dating the Same Guy and created competing Facebook groups with nearly identical names. 404 Media also identified a number of seemingly hijacked Facebook accounts that spammed the real Are We Dating The Same Guy groups with links to Tea app.
404 Media’s investigation also discovered a third security breach which exposed the personal data of women who were paid to promote the app.
“Since first creating these [Are We Dating The Same Guy] groups, I have avoided speaking to the media as much as possible because these groups require discretion and privacy in order to operate safely and best protect our members,” Sanchez told 404 Media. “However, recent events have led me to decide to share some concerning practices I’ve witnessed, including messages I received in the past that appear to contradict some of the information currently being presented as fact.”
Burns is no longer with Cook or involved with Tea, and she did not respond to multiple requests for comment. But messages from Burns to Sanchez show that Cook changed his story about why he created Tea after they broke up. 404 Media also talked to a former Tea employee who said she only knew Burns as “Tara,” a persona that also exists in the Tea app and on Facebook as an official representative of the Tea app. This employee said that when Burns left the company, Cook took over the persona and communicated with other Tea users as if he was Tara.
Overall, our reporting shows that while Cook said he built Tea to “protect women,” he repeatedly put them at risk and tried to replace a grassroots movement started by a woman who declined to help him. As one woman who worked for him at Tea told us: “his [Cook’s] motive is money, not actually to protect people.”
Tea did not directly answer a list of specific questions regarding 404 Media’s findings and the facts presented in this article. Instead, it sent us the following statement:
“Building and scaling an app to meet the demand we’ve seen is a complex process. Along the way, we’ve collaborated with many, learned a great deal and continue to improve Tea,” a Tea spokesperson said. “What we know, based on the fact that over 7 million women now use Tea, with over 100,000 new sign ups per day, is that a platform to help women navigate the challenges of online dating has been needed for far too long. As one of the top apps in the U.S. App Store, we are proud of what we’ve built, and know that our mission is more urgent than ever. We remain committed to evolving Tea to meet the needs of our growing community every day.”
How Tea Tried to Recruit a Female “Face” for the App
Sanchez started the first Are We Dating The Same Guy Facebook group in 2022 after her terrible experiences dating. The basic premise—a space for women to share information about men with other women—has existed in various forms before, but Are We Dating The Same Guy quickly became an online phenomenon. Today, Are We Dating The Same Guy is comprised of more than 200 different Facebook groups dedicated to different cities across the U.S. and Canada and has more than 7 million members. The groups have many volunteer moderators, but Sanchez is still the administrator for most of them.Women in the groups, who can also post anonymously, share a wide range of experiences, from relatively benign complaints about men they didn’t like, to serious accusations of infidelity and physical assault.
The popularity of Are We Dating The Same Guy groups is evidence that its members find them useful, but that popularity has come with a cost. Sanchez has become increasingly cautious after several attempts at retaliation from disgruntled men who are organizing on Telegram to dox women in the group and at least one lawsuit. In that case, a man accused Are We Dating The Same Guy of libel after a user in the Chicago group called him “clingy” and a “psycho.” Sanchez also said she had a rock thrown through the window of her family’s home by a man who wanted to stop Are We Dating The Same Guy, that she pays for a service to wipe her personal information from the internet, and that she generally keeps a low profile. This is the first time she has talked to the press.
By the time she was first approached by Burns in October, 2022, Sanchez was suspicious of Tea’s interest in Are We Dating The Same Guy because of some of the negative attention the groups already got.
“I’m a huge fan of all the work you're doing and I think it will have an ENORMOUS and important benefit on the lives of women,” Burns said in a Facebook message to Sanchez on October 25, 2022. At the time, Burns’ Facebook profile picture was a photo of her and Cook smiling. “My fiance and I have been working on a similar project due to my own dating woes and thought you’d be the perfect person to collaborate with on it.”
This is an entirely different origin story than the one Cook tells about Tea today. On Linkedin, Tea’s site, and interviews, Cook says that he “launched Tea after witnessing his mother’s terrifying experience with online dating—not only being catfished but unknowingly engaging with men who had criminal records.”
Before starting Tea, Cook worked at a couple of tech companies in San Francisco, including Salesforce, where he held a “director” title and rapped and made songs about Salesforce products during presentations he shared on Linkedin.
0:00
/3:59
1×A video Sean Cook uploaded to Linkedin
There is no mention of Burns on the Tea site, but in 2022 she persistently asked Sanchez to join Tea.
In addition to messaging her on Patreon and Facebook, on December 2, Burns sent Sanchez $25 on Venmo along with a message thanking Sanchez for her work. “Sent you a PM on Facebook re: Business collab when you get a chance! 😊” On December 7, 2022 Burns sent Sanchez $15 on buymeacoffee.com along with a message about a “business opportunity,” and “an app with a similar concept to the facebook groups you manage that I would love to collaborate with you on!”
In April2023, after Sanchez didn’t respond to Tea’s requests, Are We Dating The Same Guy group admins started banning a set of Facebook accounts posting links to the Tea app over and over again. For example, Are We Dating The Same Guy moderators banned one Facebook user named Crystal Lee from 25 groups across the country after the account repeatedly encouraged members to use Tea and suggested that information about the men they’re asking about was available there. Lee’s account was clearly hijacked from a woman with a different name sometime around 2016. While the account name is Crystal Lee, the name in the URL for her page is Kimberly Ritchart. I found Richart’s new Facebook account, where her first post in 2016 says she lost access to her original account. 404 Media couldn’t confirm who was in control of the account, and saw no evidence that Tea was behind it, but activity from similarly hijacked accounts indicate that there was an organized effort to stealthily promote the Tea app in the Are We Dating The Same Guy groups.
Two other Facebook accounts, Norma Warner and Morgan Ward, were banned from 23 groups and five groups respectively for spamming Tea app promotions. Warner and Ward also shared identical replies two weeks apart. “If I remember correctly, I think he’s been posted to Tea. I maybe [sic] mistaking him for someone else but looks pretty familiar,” both replies said in response to different posts in different groups.
Veronica Marz told me she was hired in April 2024 to be Tea’s partnerships manager. Her job was to manage the affiliate program that would pay people $1 per user who signed up to Tea via their unique affiliate link. She also moderated a number of groups named “Are We Dating the Same Guy | Tea App” for different cities, which were started by and owned by the Tea app and could obviously confuse Facebook users. Marz also reached out to admins of the real Are We Dating The Same Guy groups to ask if they’d be willing to join the affiliate program.While reporting this story, 404 Media discovered that Tea’s data about the affiliate program, including who signed up for it, their real name, how much they have been paid, their emails, phone numbers, Venmo accounts, and charities they wanted to donate to if they didn’t want the money, were left exposed online. All a hacker or other third party had to do to view all of this data was add “/admin” to the public Tea affiliate site’s URL. Tea turned off this site and the affiliate program entirely after 404 Media reached out for comment for this article on August 13.
On December 1, 2024, Marz noticed an account named Nicole Li who was spamming Tea app promotions in one of the Facebook groups she managed for Tea as part of her job. Li was not part of the affiliate program that Marz managed, and unbeknownst to Marz, moderators of the original Are We Dating The Same Guy groups would eventually ban the Li account later. At that point, Marz was reporting directly to Cook, and she flagged the account to him because it was suspicious and spamming several groups at the same time.
“Sean uses that account to communicate directly with users on the app, but people think they are speaking to someone actually named Tara."
“Just wanted to check and see if this person was working with the Tea app?,” Marz said in a text to Cook along with a screenshot of the account seen by 404 Media. “I’ve noticed that they’ve joined all the groups regardless of location and they’ve been promoting the app, but they aren’t a part of the affiliate program that I saw.”Cook replied: “Not sure what’s going on there but as long as they’re not bothering anyone, I guess let’s just let them do their thing!”
All of the Facebook accounts that spammed Tea promotions were either deactivated or did not respond to our request for comment. None of the accounts were officially part of Tea’s affiliate program, according to the exposed data.
404 Media has seen several messages from Are We Dating the Same Guy Facebook group members and moderators confused about whether the Tea app was the official Are We Dating The Same Guy app, and whether Sanchez was affiliated with it. Several people also wondered if the Tara persona, which reached out to them on Facebook, was associated with Tea or if Sanchez was behind it. One review of the Tea app on the Google Play Store from January, 2024 also seemed confused and disappointed by the app.
“A girl in a FB group referred me (I think she was actually advertising 🤷),” the review said. “She called it a free app. It’s not free [...] The fb groups should have raised MORE THAN ENOUGH to cover app costs that are referred to in other reviews [...] I find this gross. Maybe I’ll come around or be back, but for now I’ll stick with fb.”
Marz also told me that several users in the Tea-owned Facebook groups were confused, and thought that they were in the original Are We Dating The Same Guy groups owned by Sanchez.“Maybe five to seven people in different groups asked me about Paola Sanchez, and I had to explain to them, like, ‘Hey, this is not Paola’s group. This group is owned by the Tea app,’” she told me. “I had to explain to them the difference between the two.”
Tea’s promotion strategy clearly managed to poach and confuse some members of the Are We Dating The Same Guy community and get them to join the app. Later, its strategy was to undermine Are We Dating The Same Guy directly.
Today, Tea’s website credits an influencer named Daniella Szetela as helping to widely promote Tea: “One day while scrolling, Sean discovered a viral creator, Daniella, whose content resonated with millions of women—and saw an opportunity to bring that same energy to Tea. What began as a simple idea quickly turned into a social media movement.” The site says Cook was so impressed with her voice and following, he made her “Head of Socials.” A March, 2025 archive of the same page on Tea’s site tells the same story, but at the time Szetela’s title was “Chief Female Officer.”
“Together, Sean and Daniella have transformed Tea into more than an app—it’s a movement,” Tea’s site says.
In September 2024 Tea started posting videos to its official TikTok and Instagram accounts named @TheTeaPartyGirls. Some of the videos are of Szetela showing the app and talking about how great it is. Other videos are made to look like they’re coming from other Tea users, but in reality are produced by a company called SG Social Branding, which describes itself as a “Gen Z Creator Powerhouse Delivering Short Form Videos to be used for YOUR Brand’s Paid Social Ads.” According to its site, SG Social Branding has a team of “over 35 gen Z creators” who create videos for clients. These videos are made in the the style of common social media posts, like an influencer talking directly to the camera, doing man on the street interviews, or videos that look like they are clips from podcasts, but are from podcasts that don’t actually exist.
On a “case studies” page for Tea on the SG Social Branding website, the company says that Tea’s “ask” was to “Develop the narrative that Tea is the go to for Women who like to stay safe while dating.”
“We deployed creators for street interviews in locations such as NYC during daytime and the Nightlife scene on college campuses. Additionally, we made entertaining podcast clips of girl talk that is truly un-scrollable,” the case studies page says. Under “results” it says “The TEA app went #1 in the app store on July 23rd, 2025 and is now viral! Videos deployed from SGSB creators crossed over 3.4 million views with over 74k shares and rising.”
In these videos, the influencers don’t only promote Tea and talk about it as if they actually found information on it about men they know, they also repeatedly disparage Are We Dating The Same Guy Facebook groups.
“Instead of using that Facebook group Are We Dating the Same Guy, what girls are doing now because it’s so much easier is they’re downloading Tea,” a woman holding a microphone says as if she’s talking to someone off-camera. The text overlaid on the video says “Tea Party Pod.” The woman, Savannah Isabella, is an influencer who works for SG Social Branding. She goes on to talk about how one of her friends found a guy she was seeing there and all the red flags other women have posted about him. “Miss me with that. Boy bye. And it’s so much easier and faster than that Facebook group.”
View this post on Instagram
A post shared by Tea - Dating Safety App for Women (@theteapartygirls)
In another video, Isabella is at a bar, demoing the Tea app. “Girls, forget about Are We Dating The Same Guy,” she says.Isabella and SG Social Branding did not respond to a request for comment.
Marz told me that she was hired to Tea by a woman named Tara and that initially she only communicated with Tara. Marz did a Zoom interview with Tara before she started to work for Tea and the woman identified herself as Tara over text and email. In November 2024, Marz said that Tara left the company, at which point she started reporting directly to Cook. When I showed Marz a photograph of Christianne Burns, Cook’s then fiancée, she said that was who she knew as Tara, who first interviewed her over Zoom.
After "Tara" left, Marz said Sean took over the “Tara Tea” account which was used to communicate with Tea users in the app and on Facebook.
“Sean uses that account to communicate directly with users on the app, but people think they are speaking to someone actually named Tara,” she told me. Essentially, a man is posing as a woman to an audience of women who are trying to protect themselves from, at best, deceptive men.
How Tea Deleted Posts About Men
Tori Benitez has a private consulting business for victims of domestic violence who are in Family Court for high conflict divorces or custody battles. She told me she joined the Tea app because it promoted digital safety, talking about abusers, and protecting people by letting them share information anonymously.“I'm in the dating scene and on dating apps, and have had my own experience, so I first joined as a user, and then I saw them post that they needed help with escalation claims,” she told me. The escalation claims were complaints both from men about what women were posting about them in the app as well as complaints from other users. She thought her experience as a paralegal would be useful, and she could use more remote work, so she sent Tea her information.
“I had a Zoom call with Sean, and he wanted to know not only a little bit about my business and how I help people, but I had to tell my own personal story.” Benitez said. “I had an ex who literally threatened to kill me and told me how he was going to kill me, even after a restraining order. My story is deep and scary, and he kind of interrupted me and started crying. And I was like, ‘Oh, are you okay?’ Looking back, shouldn't I have been the one crying? It's kind of weird.”
Benitez said she took the job because she wanted to help women. During the interview and at several points while working for Tea, Benitez said that Cook wanted to make her consulting business part of Tea. Benitez said Cook floated having a tab in the Tea app that would send women to her consulting business if they needed help, or having her run workshops for users.
“I feel like his [Cook’s] motive is money, not actually to protect people, and I think that his story about his mom is a crock of shit.”
Benitez started working in April of this year but said the job wasn’t what she expected because it made no use of her experience as a paralegal. She said the work was more like customer support, and mainly had her filtering through complaints, responding to them according to a strict script she was given, and keeping a record of the responses.If a complaint contained words like “defamation” or seemed legally threatening, she would find the post in question and the user who posted it. At times she would contact the user and ask them if the post was true and if they had any evidence to prove it. Sometimes users would respond and say the accusations were true, and the post would remain. Sometimes the users also provided supporting evidence, like court documents. Sometimes the users would delete the posts themselves, or Tea would delete the posts if the users didn’t respond to Benitez’s questions after a certain amount of time.
“That's when things would get deleted and literally no longer exist on there,” she said. “Nobody could find them. They did not go into an archive. They are just poof gone.”
She would record all the complaints and responses in a spreadsheet for Tea’s internal records, but said it didn’t always make sense when Tea decided to delete a public post on the Tea app vs when it decided to leave one up. In one interview in May, 2025, Cook said the Tea app receives “three legal threats a day from men,” and that Tea has a full legal team that helps it manage those situations.
Benitez said that in one case, Cook told her he would handle a complaint from a man regarding what was said about him on the app himself because Cook knew the man personally.
“He [Cook] seemed to side with or randomly choose to delete things that just didn't make sense and felt really concerning to me,” she said. “But I felt I had no room to complain, because every time I brought up a concern his response was either ‘ignore it,’ or ‘I will handle it,’ and there's no HR, so it's not like I can go anywhere to say all this stuff's happening. I didn't have any other point of contact other than him.”
Benitez also said she raised concerns about users’ behavior on the app. She said that at some point earlier this year Tea went viral in one town in Louisiana, where Tea users started going after each other and the number of complaints exploded.
“There was a lot of fighting in the comments between users. There were a lot of threats between users. It just turned into a chat room,” she said. “They would be fighting each other. Like, ‘Where are you at? I’ll pull up on you.’ I was like, ‘holy shit.’ There would be racist posts. It just started getting bad, and I mentioned that to him [Cook] as well, and I basically got the answer of let them say whatever they want. And like this whole like, you know, ‘It's free speech.’ I thought this was about protecting people,” Benitez recalled.
In May, Benitez said Cook was late to pay her. When she asked about it, Cook said he didn’t have the money, and asked her to keep working until he did, or work for less pay. At that point, Benitez said she wouldn’t work until she got paid for the work she already did. Eventually Cook sent her the money for the hours she already worked, but Benitez never came back.
There are currently two class action lawsuits in motion against Tea accusing the company of failing to properly secure users’ private information. After these complaints were filed Tea updated its terms of service, which now require users to waive their right to participate in class actions against the company, and agree to attempt an “informal dispute resolution” before suing the company.
“I feel like his [Cook’s] motive is money, not actually to protect people,” Benitez said, “and I think that his story about his mom is a crock of shit.”
Tea’s Security Breaches Put Users at Risk
On July 25, 404 Media broke the news that Tea made an error that completely exposed a database containing at least 72,000 thousand images from its users, and that a misogynistic 4chan community downloaded them and shared them online in various forms in order to harass and humiliate women. On July 28, 404 Media revealed an even worse security breach to Tea, which exposed more than a million private messages between Tea users that included identifying information and intimate conversations about cheating partners and abortions.After the first hack, someone created a website modeled after “Facemash,” the site that Facebook CEO Mark Zuckerberg infamously created while he was a student at Harvard to rank the attractiveness of female students at the university. This new site, based on Tea data, took the selfies women uploaded to Tea in order to verify they are women, presented them to visitors in pairs, and allowed them to choose which they believed was more attractive. The site used the votes to create a ranking and also highlighted the list of the 50 most and least attractive women according to votes.
The second breach was far more dangerous not only because the direct messages between Tea users that were exposed included conversations they thought were private about sensitive subjects that could become dangerous in the wrong hands, but also because those conversations included details that could be used to deanonymize users. Direct messages between users often included their real phone numbers, names, and social media handles.
“I posted on the app about a man who groomed and abused me as a minor,” one Tea user whose direct messages were exposed in the second security breach told 404 Media. The user asked to be anonymous because she’s heard about “incel dudes” doxing Tea users. “I joined Tea because I appreciated the premise of a ‘whisper network’ for community safety—because a huge amount of men are, in fact, unsafe individuals, and most of the time those impacted don't find out until it's too late.”
This user added that they felt safe enough to share intimate details on Tea because it was advertised as a “safe space” for women with a strong emphasis on anonymity.
“My reaction to the breach is anger, just anger, and some disgust,” the user said.
Kasra Rahjerdi, the researcher who flagged the second security breach to 404 Media, said there were signs he wasn’t the only person who may have accessed more than a million of private Tea messages. Every Tea user is assigned a unique API key which allows them to interface with the app in order to log in, read public posts, share posts, or do other actions in the app. Rahjerdi discovered that any Tea user was also able to use their own API key to access sensitive parts of the Tea app’s backend, including a database of private messages and the ability to send all Tea users a push notification.
This access also allowed users to create new databases, and Rahjerdi told 404 Media he saw someone else doing just that while he was looking at Tea’s backend. Most of these databases were empty, but one contained a link to a Discord server with a handful of users which shut down shortly after 404 Media tried to join it on July 26. This activity indicates that someone else found the same security breach as Rahjerdi and could have accessed more than a million private messages of Tea users as well.
In a podcast interview in April, 2025, Cook said he doesn’t know how to code, and that the Tea app was built by two developers in Brazil. According to Tea’s Linkedin page, both developers are contractors who are available to hire via Toptal, a platform where software developers offer their labor as remote freelancers. Those two developers did not respond to our request for comment.
Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, told 404 Media that the private Tea messages could be especially dangerous to Tea users who talked about abortions or specific men.
“I would be particularly concerned about posts about abortions in say Texas, where SB 8 grants a private right of action to sue anyone who performs or facilitates an abortion that violates the law,” Galperin said. SB 8, also known as the “Texas Heartbeat Act,” bans abortion after the detection of a “fetal heartbeat,” which is usually six weeks into pregnancy. The law also allows anyone to sue anyone else who performs abortions or “aids and abets” performing or inducing an abortion in violation of the law. “I’d also be concerned about DMs containing information of sexual orientation or immigration status, or details about sexual assault that the survivor was sharing in private.”
Galperin said she would be “extremely concerned” if the messages got out, not just because of the men who are named in the messages, but because “There are people who think that anyone who has an account on this platform is fair game for harassment,” referring to some of the harassment we’ve already seen from 4chan.
Despite the risks the Tea app has already put users in, Tea has downplayed the impact of the security breaches, and has continued to grow in popularity. On July 28, Tea said in a post to Instagram that “some” direct messages were accessed as part of the initial incident, and that it had temporarily disabled the ability for users to send direct messages. The statement does not acknowledge that more than a million messages were exposed, and also misleads users that those messages were leaked as part of the initial breach. The messages were exposed in an entirely separate breach around different security issues. On July 26, after 404 Media reported about both Tea breaches, Tea said on Instagram that it received over 2.5 million requests to join the app. The replies from users on Instagram are filled with people who are on the Tea app waiting list to be approved. Again, even after it said it has hired a cybersecurity firm to address the two previously reported breaches, 404 Media found a third security issue that exposed users’ private information that Tea wasn’t aware of until we reached out for comment.
Today, Tea’s site boasts that more than 6.2 million women use the app.
Joseph Cox contributed reporting.
A Second Tea Breach Reveals Users’ DMs About Abortions and Cheating
The more than one million messages obtained by 404 Media are as recent as last week, discuss incredibly sensitive topics, and make it trivial to unmask some anonymous Tea users.Emanuel Maiberg (404 Media)
U.S. traders are buying 'digital residency' in Palau to skirt restrictions on the amount of cryptocurrency they can withdraw and the exchanges they can use. Major exchanges have already banned the ID, fearing abuse.
U.S. traders are buying x27;digital residencyx27; in Palau to skirt restrictions on the amount of cryptocurrency they can withdraw and the exchanges they can use. Major exchanges have already banned the ID, fearing abuse.#Features
Buying a $250 Residency Card From a Tropical Island Let Me Bypass U.S. Crypto Laws
U.S. traders are buying 'digital residency' in Palau to skirt restrictions on the amount of cryptocurrency they can withdraw and the exchanges they can use. Major exchanges have already banned the ID, fearing abuse.Joseph Cox (404 Media)
The Walls Are Closing in on the Snowflake Hacker
As security researchers circle around Judische, and authorities takedown his servers, how much longer will a hacker responsible for breaching Ticketmaster, AT&T, and many more companies remain free?Joseph Cox (404 Media)