Vibe coding and the Tea app breach: Why security can’t be an afterthought

Why governance, visibility, and security guardrails matter in modern app development

Takeaways:

• Security must be prioritized from the start: Rushed MVPs and outsourced development often neglect critical security measures, leading to vulnerabilities.
• API misconfigurations are a common breach vector: Both Tea app breaches were caused by poor authentication and authorization policies.
• “Vibe coding” is risky for production apps: Fast, unstructured development may work for prototypes, but not for apps handling sensitive data.

The recent data breaches of the tea dating application are classic examples of poor development, security, and operations (DevSecOps) practices. This application is a women-only dating safety platform that allows subscribers to share their experiences in a private community. The app provides several tools, including a group chat and the ability to rate and review men through a process similar to a Yelp review. Privacy concerns aside, the app used artificial intelligence (AI) and official government (or otherwise verified) photo identification like driving licenses to ensure that the subscriber is female. 

This verification process, along with the group chat and personal messaging feature are the reasons we’re here. According to the founder, the original Tea app was built by a team of two developers hired off Toptal – and I’m guessing the leaks are from not worrying about security during the minimum viable product (MVP) phase.

Both breaches – the original Firebase database (DB) leak and the follow-on leak of chats – happened because of the standard problem that plagues application programming interfaces (APIs) as described by the Open Worldwide Application Security Project (OWASP). Specifically, both were caused by broken authentication and authorization polices. The first one is standard Firebase data leak, which happens when security policies are not manually configured –  something that has been widely known for ages. The second one is more egregious: any user could use their API key to download other user’s chats. The development team didn’t identify and fix these issues while the app was a high-profile target to be exploited. The team should probably spend some time reviewing this OWASP document to improve their security processes.

 Vibe coding is all the rage—not just in programming communities, but also in product management circles. Many companies now try to create full-stack product managers (PMs) who handle everything from requirements to app creation and, presumably, stay up overnight as production support. The overall consensus—and one I agree with—is that this is a bad idea. While a technical PM might create a proof of concept (PoC) or prototype, production-quality ‘vibe code’—no thanks.

The Tea app breaches show you why this is a bad idea. Even if we don’t know whether the app was vibe coded, it was a non-technical founder outsourcing the original development to freelancers. Hallucinations don’t just affect answers – they can affect security as well. Does the AI you are using understand basic security concepts? If you are worried about launching a working app at any cost, will the code be understandable? And when you face technical debt, how will you identify and solve problems? Troubleshooting and fixing legacy code written by a human being is massively painful – even when they add comments stating “Do not delete this env variable!”

 

Francios Chollet, creator of the Keras deep learning library, puts this into much better context in the tweet above.  The point is that software engineers will be fixing the AI-generated mess of ‘pesto cheeseburger fusilli pineapple spaghetti pizza code.’  Today, people are stuck maintaining bolted-on code written ages ago, using an Access database whose password is long forgotten. Or the regular articles that talk about how experienced Common Business-Oriented Language (COBOL) programmers who can understand the business logic are highly prized because no one else can understand and fix legacy systems.

Or as one meme puts it:

 

In general, automation is a good thing. If you can get your work done faster and move on to more productive things, that is a good thing. However, the problem arises when automation tools lack proper security guardrails. Given the current state of security sprawl of tools that barely talk to each other, this is a tall order. You need to have governance, followed by visibility, followed by enforcement of guardrails, and you needed all of these in place a few years ago. Security is already a hard nut to crack, and the rise of generative AI-powered automation will make this worse. The low-code/no-code apps are like interns being given the keys to production deployments.

We’ve been here before and keep repeating the same mistakes. Common Vulnerabilities and Exposures (CVE)-2025-53773 is a prompt injection vulnerability in Copilot that allows an attacker to execute code locally. This is similar to command injection risks described by OWASP, which have existed since the dawn of web security. Or look at this example that is less focussed on programming – AI Agents that work with Notion. These agents don’t have the right role-based access control (RBAC) safeguards and can access to information across the data estate. The right prompts can put the wrong information into the hands of an attacker. Research has shown prompt-injection exfiltration risks, and Notion has since announced additional safeguards.

Governance and security are more important than ever. Getting the right governance and guardrails in place is critical – and so is defense in depth for your existing applications. 

 

Maximize your protection and cyber resilience with the BarracudaONE AI-powered cybersecurity platform. The platform protects your email, data, applications, and networks, and is strengthened by a 24/7 managed XDR service, unifying your security defenses and providing deep, intelligent threat detection and response. Manage your organization’s security posture with confidence, leveraging advanced protection, real-time analytics and proactive response capabilities. Robust reporting tools provide clear, actionable insights, helping you monitor risks, measure ROI and demonstrate operational impact. Don’t miss the opportunity to get a demo of the platform from our cybersecurity experts.