Tea App Data Breach Exposes IDs, And Private Messages

Hackers have breached the Tea app which led to the leak of tens of thousands of user selfies and government ID photos.  Tea app is a popular women-only platform that allows the posting of personal data about men that users are currently, formerly, or interested in dating. The Tea app data breach was confirmed by a Tea spokesperson.

According to the company, the attackers accessed a database containing approximately 72,000 images, including 13,000 user verification selfies and photographs of government-issued IDs. The exposed data in Tea app data breach includes content that was submitted by users to confirm their identities during the signup process.

How Tea App Works

Tea has recently gained traction on social media platforms and became the most downloaded free app on the Apple App Store, operates as a virtual whisper network. It allows women to upload photos of men, search by name, and anonymously share reviews, labeling individuals as “red flags” or “green flags.” The app promises anonymity to its users and prohibits screenshots within the platform.

To register to Tea app, users are required to submit a selfie to prove their gender, a step that the company claims is intended to promote safety and exclusivity. On its website, Tea states these selfies are deleted after a brief review, a claim now under scrutiny following the data breach.

Tea App Data Breach: In Detail

According to the Tea spokesperson, the data accessed was stored in a database from more than two years ago. The spokesperson noted that the data had originally been archived “in compliance with law enforcement requirements related to cyberbullying prevention.”

Since Tea app data breach, company has engaged third-party cybersecurity firms and stated that it is working “around the clock” to secure its systems. “Protecting our users’ privacy and data is our highest priority,” the company said. “Tea is taking every necessary step to ensure the security of our platform and prevent further exposure.”

The situation worsened on Monday when 404 Media revealed a second vulnerability. This flaw allowed unauthorized access to over 1.1 million direct messages exchanged by users on the app from early 2023 until last week. Some of these messages contained deeply personal information that could potentially identify users.

Cybersecurity researcher Kasra Rahjerdi, who uncovered the vulnerability, said the exposed database could have allowed someone to send push notifications to users. He also confirmed that other individuals may have accessed the data before he reported it, although it remains unclear whether the information was downloaded.

Tea has since taken the affected systems offline and announced plans to offer free identity protection services to impacted users. The company is also working to identify the individuals whose personal data may have been compromised.

Role of Online Forums and Potential Misuse

The Tea app data breach has been linked to activity on certain online communities. A thread on 4Chan, a platform known for its controversial content, emerged with users reportedly calling for a “hack and leak” campaign targeting Tea. By Friday morning, a 4Chan user had posted a link allegedly allowing others to download the stolen images. Multiple photos of what appear to be Tea users’ identification documents have since been circulated on 4Chan and X (formerly Twitter), though their authenticity has not been independently verified.

Moreover, someone created a Google Map that allegedly shows coordinates of users impacted by the Tea app data breach. While names were not attached, the exposure of location data has raised further questions about the safety and privacy of users.

Another report revealed that some of the leaked data had been used to trace individuals to U.S. Army bases, and that at least one cybercriminal forum claimed to be offering a 55 GB data dump containing selfies and IDs.

It is believed a misconfigured Firebase storage bucket, a cloud-based service developed by Google, was a key entry point for hackers. Multiple researchers confirmed that the storage bucket had been publicly accessible prior to the breach being made public.

Users Reactions

The Tea app data breach has ignited a criticism and concern among users, especially as many had trusted the app’s privacy promises. The app explicitly stated during the signup process that verification images would be deleted post-review, a promise now in question. Many users took to Tea’s Instagram page to express their frustration, with some saying they were still on the waitlist despite recent claims of millions of new signups.

The controversy also reflects broader tensions over the app’s purpose. While it was designed to give women a platform to protect themselves and share experiences, critics have accused Tea of enabling unverified allegations and potential cyberbullying. Some men expressed concerns about being misrepresented or falsely flagged on the platform.

About the App and Its Founder

Tea’s creator, Sean Cook, has said the app was inspired by his mother’s negative experiences with online dating, including being catfished and encountering individuals with criminal histories. In addition to functioning as a review network, Tea allows users to conduct background checks, search criminal histories, and perform reverse image searches to detect catfishing attempts.

According to its website, Tea has a strong digital presence with more than 240,000 followers on Instagram and 190,000 on TikTok. It claims to reach millions of users each month and donates 10% of its profits to the National Domestic Violence Hotline, which confirmed that the app is indeed a donor.

While Tea app data breach is still being investigated, the incident highlights the inherent risks of platforms that collect sensitive personal data. Despite promises of anonymity and safety, the exposure of identity documents and private messages has left many users feeling betrayed.

Related