Andrew Tate’s The Real World exposes 22M user messages

The Real World, a learning platform from the controversial social media personality Andrew Tate, has leaked nearly a million users and over 22 million messages.

Hundreds of thousands of exposed users, millions of messages, and session tokens – that’s the reality that The Real World finds itself in.

The Cybernews research team has uncovered an exposed MongoDB instance with 88GB from one of The Real World’s servers.

Tate’s The Real World is a subscription-based all-in-one learning platform that claims to offer users insights on business development.

After the team contacted the company, the instance was hidden from the public’s view. Cybernews has reached out to The Real World for an official comment regarding the exposed database, but we did not receive a reply before publishing.

Tate data sample
Sample of the leaked data. Image by Cybernews.

The Real World’s exposed data

According to the team, the database has been exposed since at least April 8th, 2024. The 88GB of leaked data includes a large amount of sensitive information from the platform.

The Real World’s MongoDB instance held 968,447 user accounts, exposing user IDs, email addresses, encrypted passwords, verification statuses, account recovery codes, password expiration dates, and reset tokens.

Additionally, the exposed instance contained over 6.4 million session tokens and user IDs. Websites match these tokens with user IDs to recognize a specific user. Adversaries can use tokens to impersonate users, gaining full access to accounts.

Among other information, the team discovered 891,646 exposed user devices, with tokens, user IDs, and what platforms they used to access The Real World.

Worryingly, the database also had over 22 million user messages. The earliest of the millions of exposed conversations are dated October 2022, with the latest coming from April 2024.

The team also discovered that the leaky instance had server bans, multi-factor authentication (MFA) tickets, event logs, and other admin-level information not meant for the public.

According to researchers, exposing that much sensitive data endangers nearly a million of the platform’s users as attackers could exploit the leaked data to compromise their privacy.

“The exposure of messages, user devices, and other collections such as server bans and MFA tickets could allow malicious actors to exploit vulnerabilities, launch phishing attacks, or engage in identity theft on a massive scale, posing significant risks to both individuals and the platform itself,” researchers said.

Worryingly, the database also had over 22 million user messages. The earliest of the millions of exposed conversations are dated October 2022, with the latest coming from April 2024.

The team believes the instance was exposed due to a MongoDB user misconfiguration, a common cause behind data leaks of this nature.

Interestingly, researchers noticed that another IP with the same database has appeared online. Among other things, this could indicate that malicious actors have already copied the dataset.

Ridden with controversy

Both Tate and The Real World Portal have not shied away from controversy. Tate has received criticism for promoting misogynistic lifestyle choices.

In late 2022, Tate was arrested in Romania over charges of rape, human trafficking, and forming an organized crime group to sexually exploit women. In March 2024, UK police obtained a European Arrest Warrant for Tate over allegations of sexual aggression.

Meanwhile, The Real World has also received accusations of encouraging misogyny as well as developing a business model that closely resembles an illegal pyramid scheme.

Last September, these accusations emboldened Apple and Google to withdraw The Real World app from Google’s Play and Apple’s App Store marketplaces.

Tate launched The Real World in November 2022 after the shutdown of Hustler University, a similar subscription-based platform that offered members instructions on how to make money outside traditional employment.