Take

Tea (a dating safety app for women):

A legacy data storage system was compromised, resulting in unauthorized access to a dataset from prior to February 2024. This dataset includes approximately 72,000 images, including approximately 13,000 selfies and photo identification submitted by users during account verification and approximately 59,000 images publicly viewable in the app from posts, comments and direct messages.

No email addresses or phone numbers were accessed. Only users who signed up before February 2024 were affected.

[..]

How did the cybersecurity incident happen?
During our early stages of development some legacy content was not migrated into our new fortified system. Hackers broke into our identifier link where data was stored before February 24, 2024.

Hackers broke into.

I am unaware of the exact details, but my guess is that the dataset was as individual files stored in an object/blob storage service, like AWS S3, Cloudflare R2 or Google Cloud, and that the security depended entirely on the addresses of each file were assumed to not be guessable, or at least easily. (What do I base this on? The fact that stuff was left laying around in a "legacy data storage system". If it had been a database, most likely the entire thing would have been migrated. Whereas with object storage, it is reasonably easy to just start writing to another bucket/container/endpoint (or even another service entirely) for new data.)

If my guess is correct, "hackers broke into" is ridiculously misleading as a summary. Here is a more correct summary which may be helpful for someone without technical knowledge:

Imagine a very large grassy park with hundreds of thousands of tiny sheds. Each of those sheds have signs up front with a name - like, say, TeaForWomenVerificationAssets. Anyone can walk up to a shed - it is how the owners of the shed get to the shed. All of them have boxes inside, with files and photos and things in them. Some of the sheds require a key to open, or a thumbprint in a thumbprint reader. Some of the boxes require another key to open.

Our shed was labeled something that gave away what it was, and we had no keys on either the shed or the boxes. Our security depended entirely on no one finding our shed.

After February 2024, we had a brainwave and began putting your precious private information into a bank vault downtown instead. However, a very vile and cunning criminal managed to find our shed before we, after more than a year had passed, had managed to empty it or put a padlock on anything.

It is bad enough that this is a common lapse in security. It gets worse when an app intended to work towards physical safety is affected. I understand the human instinct to lash out - but the issue wasn't that someone was a criminal mastermind, it's that the data wasn't secured to begin with, and that having discovered that something needed to be improved, the unsecured data was left in an unsecured state.