Women’s Dating App Tea Exposes Selfie Images of 13,000 Users

The women-only dating safety app Tea has suffered a significant cybersecurity incident, with hackers gaining unauthorized access to approximately 72,000 user images, including 13,000 sensitive selfies and identification documents used for account verification. 

The breach, which represents one of the most serious data exposures in the dating app ecosystem, has raised critical concerns about biometric data protection and authentication security protocols within social platforms targeting vulnerable user demographics.

Key Takeaways
1. Tea dating app exposed 72,000 user images, including 13,000 selfies and ID photos.
2. Only pre-February 2024 users were affected.
3. The company hired cybersecurity experts while gaining 2 million new user requests.

Dating App Tea Exposes Selfie Images

404 Media reported that the cyberattack exploited vulnerabilities in Tea’s data storage infrastructure, allowing malicious actors to bypass access control mechanisms and extract a substantial volume of personally identifiable information (PII). 

The compromised data includes 13,000 selfies and photo identification documents submitted through the app’s multi-factor authentication (MFA) verification process, alongside 59,000 additional images from user posts, comments, and direct messages.

Tea’s cybersecurity response team has engaged third-party penetration testing specialists and incident response consultants to conduct forensic analysis and implement security hardening measures. 

The company confirmed that its encryption protocols for email addresses and phone numbers remained intact, preventing exposure of contact information through SQL injection or cross-site scripting (XSS) attacks. 

However, the breach affected users who registered before February 2024, suggesting the vulnerability existed within legacy database architecture and API endpoints that may have lacked adequate input validation and secure coding practices.

The incident has generated widespread concern, given Tea’s mission statement, which emphasizes women’s dating safety, and its zero-knowledge architecture, designed to protect user anonymity, reads the report.

The app operates on a crowdsourced review system similar to Yelp, where verified female users submit anonymous evaluations of male dating prospects through blockchain-based identity verification.

Following the 404 Media investigation that first exposed the breach, Tea’s user base has strangely grown, with over two million new registration requests submitted within days of the security disclosure. 

The company has implemented emergency patch management procedures and enhanced intrusion detection systems (IDS) to prevent future data exfiltration attempts while maintaining its GDPR compliance framework and end-to-end encryption standards for ongoing user communications.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now