The Tea App leak, the myth of the perfect database, and why outsourcing identity, auth, payments, and other modules is the only sane move when starting a startup.
1. The 60-GB wake-up call
On 24 July 2025 a magnet link started circulating on Telegram.
Inside the torrent: 30 000 selfies, driver's licences, and geolocation logs lifted from Tea, the women-only review app. The total size? 60 GB.
No fancy hacking was needed, just an open Firebase bucket and a curious researcher.
If you still believe "our database will be the safest ever," this leak is your neon sign saying no, it won't.
2. Absolute security is a bedtime story
Every headline of the last decade tells the same story: Yahoo (3 B accounts), Equifax (147 M SSNs), OPM (21 M clearance files), Facebook (533 M phone numbers). The safest database never existed.
Remember when eCitizen exposed thousands of users' personal data in 2019? Or when KCB Bank's mobile app vulnerability allowed unauthorized access to customer accounts? Even Safaricom, with all their resources and expertise, has faced SIM-swapping attacks that compromised M-Pesa accounts.
Air-gapped, code-reviewed, ISO-27001-certified systems have been breached by phishing, insider threats, or a single mis-click on an S3 policy.
If nation-states, trillion-dollar companies, and established financial institutions can't achieve perfect safety, a seed-stage startup with three engineers and a Monday-morning stand-up certainly won't.
3. KYC is still necessary, just not like this
Tea's premise was simple: only verified women could post reviews of men. KYC (upload a government ID) was the gate.
This applies to many apps. Think about dating apps needing to verify users are real, or ride-hailing apps like Ma3Route verifying matatu operators, or Uber verifying drivers with their national IDs or driving licenses.
The idea is sound:
- Prevent fake male accounts from gaming the system.
- Block minors from entering an adults-only space.
- Reduce harassment by tying reviews to real identities.
- Comply with local Data Protection Act requirements.
The problem wasn't the intent; it was the implementation:
| What Tea did | What they should have done |
|---|---|
| Stored full-resolution ID images forever. | Extract a "verified female, 18+" flag, then delete the file. |
| Used a public, unauthenticated Firebase bucket. | Use a PCI-DSS-level vault with envelope encryption and hardware keys. |
| Built the verification pipeline in-house. | Handed it to an identity-as-a-service provider that has already survived SOC 2, ISO 27001, and GDPR audits. |
4. Build vs. outsource: the risk ledger
Let's run the numbers in local context.
Cost of building it yourself
| Item | US market rates | Local market rates |
|---|---|---|
| Initial dev time (backend, ML doc parsing, liveness checks) | 2 senior engineers × 6 months ≈ KES 22.5 M | 2 senior engineers × 6 months ≈ KES 4.8 M |
| Ongoing infra (GPU instances, storage, KMS) | KES 750k–1.8M / month | KES 450k–1.2M / month |
| Compliance (SOC 2, penetration tests, bug-bounty, ODPC registration) | KES 11.25 M first year | KES 3–5 M first year |
| Incident response (PR firm, legal, ODPC fines up to KES 500M) | KES 150M–750M | KES 50M–500M |
| Total cost of ownership (3 yrs) | ~KES 200M–800M | ~KES 80M–550M |
Note: Local Data Protection Act allows fines up to KES 5M or 4% of annual turnover (whichever is higher). Senior developer salary assumed at KES 1.875M/month (~$12.5k USD) for US rates, KES 400k/month for local rates.
Cost of outsourcing to a field-tested provider
| Item | Real-world figures |
|---|---|
| Stripe Identity / Jumio / Onfido pay-as-you-go | KES 225–450 per verification |
| 30 000 verifications | KES 6.75–13.5 M |
| Compliance burden | Zero (provider is the data controller) |
| Breach liability | Zero (raw docs never touch your servers) |
| ODPC headaches | Zero (transfers handled under provider's DPA) |
Put differently: Tea could have outsourced all 30 000 verifications for the price of 2-3 weeks of local in-house engineering burn (or just 3-4 days at US rates), and the 60-GB torrent would never have existed.
5. The hidden tax of "we'll do it later"
"But we'll improve security next sprint."
Famous last words.
In the local startup ecosystem, this is especially dangerous. With limited funding rounds and pressure to show traction quickly, security often gets deprioritized. But consider this: one ODPC investigation can kill a startup faster than running out of runway.
In identity, 'later' is a synonym for 'leaked'.
Outsourced vendors have already paid the tuition in courtrooms, bug-bounty halls, and regulator offices (including dealing with European GDPR and US state privacy laws) so you don't have to.
6. Identity isn't the only knife you should hand to a chef
Sharp-edged modules that almost always age better in someone else's kitchen:
| Module | Outsourced Lifeline | Local Context |
|---|---|---|
| KYC/Identity Verification | Smile Identity (supports Kenyan National ID & Huduma Namba OCR), Jumio, Onfido, Stripe Identity | Smile Identity was built specifically for African documents and regulatory requirements. |
| Authentication | Auth0, Firebase Auth, Supabase Auth (battle-tested against 100M+ daily logins) | Remember when SportPesa had login issues? Don't repeat that. |
| Payments | Flutterwave, Paystack, Stripe (now available locally), Kopo Kopo | Local fintech Kopo Kopo exists precisely because payments are hard. |
| SMS/USSD | AfricasTalking, Twilio, Clickatell | When Safaricom updated their APIs, who got the memo first? |
| Video Calling | Daily, Twilio Video, Zoom SDK | Zoom works better locally than your homegrown solution ever will. |
| Email Delivery | SendGrid, Postmark, Mailgun | Ever tried getting emails delivered to @safaricom.co.ke addresses? |
| Search | Algolia, Elasticsearch Service, Amazon OpenSearch | Search is deceptively complex: relevance, typos, synonyms, performance at scale. |
| File Storage & CDN | Cloudinary, AWS S3 + CloudFront, Uploadcare | Image optimization, automatic resizing, global CDN edge locations are harder than they look. |
Note: while researching for this article, I discovered something called "token replay on 2G network" which affects JWT mostly for devs doing authentication using JWT its something you have to look into
7. Checklist: how to add KYC (or any sharp module) without becoming tomorrow's headline
Never store raw documents.
Use tokenised verification (provider returns a signed JWT:verified_female=true, over_18=true, kenyan_id_verified=true).Pick a provider with scars, not slides.
Ask for their pen-test summary, last SOC 2 date, GDPR DPA template, and how they handle ODPC compliance.Contractual kill-switch.
Require the provider to delete user data within X days or on request (local Data Protection Act requires this anyway).Audit rights.
Insist on annual third-party audits and read them.Client-side UX still matters.
Even Stripe Identity can be misconfigured; test with local IDs, Huduma Namba, and various document formats.Local compliance check.
Ensure your provider can handle local document formats and has ODPC-compliant data processing agreements.
8. TL;DR for your next board slide
- Perfect databases are unicorns (ask eCitizen, KCB, or Safaricom).
- KYC is still mission-critical but only when done right under the local Data Protection Act requirements. Just look at the fallout from the Worldcoin saga.
- Build product, don't reinvent the wheel unless the wheel is the product.
- Let the specialists (who have already survived GDPR, SOC 2, and ODPC investigations) carry the compliance flame.
Code is code, and code cracks.
Sooner or later, everyone gets hacked.
Because the only thing worse than leaking 30 000 driver's licenses is explaining to the Office of the Data Protection Commissioner why you thought you could do better than people whose only job is to make sure that never happens.
Top comments (0)