if im understanding correctly this was a public bucket? aside from the obvious leaking of data couldnt this also be subject to a DoW (denial of wallet) attack where a user could auto download all the images constantly on a VPS and cause a massive bill?

according to the company this was an old bucket they used prior to 2024 when they moved to a more robust system.

So...they were storing people's information long term in a publically accessible bucket when users did not know. In fact, I believe users were told their IDs/selfies were immediately deleted(not stored), then Tea turned around and says they were legally required to store those photos. Tea had to address this in their press release, apparently.