A widely popular women-focused dating safety app, Tea, has confirmed a significant data breach that exposed tens of thousands of sensitive user images and messages.
The security incident occurred despite Tea positioning itself as a privacy-first space for women to discuss dating experiences.
The breach occurred early Friday morning when attackers accessed an unprotected legacy storage system belonging to the app. According to the company, the breach only affects users who signed up prior to February 2024. Data from newer users remains secure, the company claims.
The compromised archive contained approximately 72,000 user-submitted images, including around 13,000 verification selfies and government-issued IDs submitted during the account verification process. These images were used to confirm user identities through Tea's AI-driven selfie verification system. Additionally, about 59,000 public images from old posts, comments, and direct messages, some dating back over two years, were accessed.
In a statement posted to its official Instagram channel, Tea acknowledged the breach and attempted to quell growing fears, stating: “We discovered unauthorized access to an archived data system. If you signed up for Tea after February 2024, all your data is secure.” The message also notes that the company is “working with some of the most trusted cybersecurity experts.”
Tea disclosed that the archived content was originally retained “to meet law enforcement standards around cyberbullying prevention.” The company has emphasized that these images “can in no way be linked to posts within Tea,” likely referring to an internal decoupling of image data from user profiles.
CyberInsider
The app, which has recently surged to the top of Apple's App Store rankings and boasts over four million users, is designed to allow verified women to share reviews and warnings about men they've dated. Users can upload a man's photo, attach their experience, and label him with “red flag” or “green flag” indicators. It also includes tools like group chats and background checks using public databases.
Tea has not released a full technical postmortem, but security researchers have attributed the breach to misconfigured Firebase storage and insecure code practices, reportedly generated using AI tools without proper auditing. The exposed database, totaling approximately 59 GB, lacked basic security protections, including authentication and encryption. This left it vulnerable to attackers, who began sharing download links via forums such as 4chan and decentralized platforms like BitTorrent.
Though the company insists that no email addresses, phone numbers, or current user data were leaked, the presence of verified IDs and private conversations among the exposed content raises significant concerns over user safety, including risks of identity theft, harassment, and social engineering attacks.
Despite the public notice, Tea has yet to provide a detailed breakdown of the security lapse or offer support guidance to affected users. CyberInsider has contacted the company for additional comment, but as of publication time, has not received a response.
Affected users are recommended to monitor for suspicious online activity, enable multi-factor authentication on all services, and consider identity theft protection tools. As the data continues to circulate online, it remains crucial for users to stay vigilant.
Leave a Reply