The Tea App Data Breach: A Double Exposure of Security Failures

Two critical data breaches in the span of one week have exposed the sensitive personal information of thousands of Tea app users, revealing fundamental security failures in a platform designed to protect women's safety while dating. The incidents highlight the dangerous intersection of rapid app growth, inadequate security measures, and the weaponization of leaked data by malicious actors.

What is the Tea App?

Tea Dating Advice, launched in 2023 by founder Sean Cook, markets itself as a women-only platform that enables users to anonymously share information about men they’ve dated or encountered. The app functions as a crowdsourced background checking service, allowing verified female users to leave reviews categorizing men as “red flags” or “green flags” based on their dating experiences.

The platform gained explosive popularity in July 2025, surging from relative obscurity to the #1 position on Apple’s App Store free apps chart within days. Between July 17-23, downloads increased by 525%, with the company claiming over 4 million total users and 2.5 million new registrations in a single week.

To join Tea, users must undergo a verification process that initially required submitting selfies alongside government-issued photo identification to confirm their identity as women. The app’s privacy policy explicitly stated these verification images would be “deleted immediately” after review.

The First Breach: Firebase Misconfiguration Exposes 72,000 Images

Discovery and Initial Impact

On July 25, 2025, Tea confirmed that cybercriminals had gained unauthorized access to what the company described as a “legacy data storage system”. The breach exposed approximately 72,000 images, including:

  • 13,000 verification selfies and government photo IDs submitted during account verification
  • 59,000 publicly viewable images from posts, comments, and direct messages within the app

The compromised data affected users who registered before February 2024, when Tea claimed to have transitioned to “a more secure system”.

Technical Root Cause: Unsecured Firebase Storage

Security researchers identified the primary vulnerability as a misconfigured Firebase storage bucket—Google’s cloud-based backend service. The database lacked proper authentication controls, essentially leaving the digital equivalent of an unlocked door that anyone with the correct URL could access.

Anonymous users on the 4chan message board discovered the exposed database and shared a Python script enabling mass download of the stored images. This wasn’t a sophisticated attack requiring advanced hacking skills—it was a basic configuration failure that left sensitive data openly accessible on the internet.

The “Legacy System” Excuse

Tea attributed the breach to storing data “in accordance with law enforcement requirements related to cyber-bullying prevention”, contradicting their own privacy policy that promised immediate deletion of verification photos. This revelation exposed a fundamental dishonesty in the company’s data handling practices and raised serious questions about regulatory compliance.

The Second Breach: API Vulnerability Exposes 1.1 Million Private Messages

A More Devastating Discovery

Just three days after the initial breach disclosure, independent security researcher Kasra Rahjerdi uncovered a second, more damaging vulnerability affecting Tea’s direct messaging system. This separate security flaw exposed over 1.1 million private messages exchanged between users from early 2023 through July 2025.

Unlike the first breach involving historical data, this vulnerability affected current, active communications containing highly sensitive personal information.

API Access Control Failure

The technical cause was a critical flaw in Tea’s Application Programming Interface (API) that handles internal app communications. According to Rahjerdi’s analysis, any authenticated Tea user could access the entire message database using their own API key. This represents a catastrophic failure in access control implementation, allowing unauthorized users to query and extract private conversations at will.

Exposed Content and Real-World Impact

The leaked messages contained deeply personal and sensitive discussions, including:

  • Abortion discussions and reproductive health conversations
  • Infidelity reports about cheating partners and spouses
  • Phone numbers and social media profiles enabling user identification
  • Real names and personal details compromising user anonymity
  • Meeting locations and private arrangements

Rahjerdi demonstrated that cross-referencing message content with social media profiles made it “trivial to find social media profiles, telephone numbers, and the real-world identities of most users”.

Attack Vectors and Exploitation Methods

4chan Mobilization and Coordinated Harassment

The Tea app became a target for coordinated harassment campaigns after gaining viral attention. Users on 4chan initiated a “hack and leak” operation specifically targeting the platform, motivated by opposition to the app’s concept of allowing women to anonymously review men.

The anonymous forum users not only shared the leaked data but actively weaponized it:

  • Created interactive maps purporting to show user locations based on metadata
  • Developed rating websites like “Teaspill” allowing visitors to rate stolen selfies
  • Distributed torrents of the complete dataset across multiple hacking forums

Social Engineering and Identity Theft Risks

The combination of government IDs, selfies, and personal information creates severe risks for affected users:

  • Identity theft facilitation through access to driver’s licenses and verification photos
  • SIM swap attack preparation using personal details and phone numbers
  • Social engineering campaigns leveraging private conversation content
  • Cryptocurrency exchange fraud using verified identity documents

Technical Analysis: Fundamental Security Failures

Firebase Security Misconfigurations

Firebase, while a powerful and scalable backend solution, requires proper security rule implementation to protect sensitive data. Tea’s implementation failures included:

  • Public read access to storage buckets containing private images
  • Insufficient authentication requirements for data access
  • Missing data encryption for sensitive personal information
  • Inadequate access logging preventing breach detection

API Security Vulnerabilities

The message exposure resulted from basic API security oversights:

  • Missing authorization checks on sensitive endpoints
  • Overprivileged API keys allowing broad data access
  • Insufficient rate limiting enabling bulk data extraction
  • Lack of user-specific access controls in database queries

Data Architecture Problems

Tea’s security failures stem from fundamental architectural decisions:

  • Centralized data storage creating single points of failure
  • Legacy system maintenance without security updates
  • Inconsistent security policies across different app versions
  • Inadequate data lifecycle management violating retention policies

Class Action Lawsuits

Multiple class action lawsuits have been filed against Tea Dating Advice, with plaintiffs alleging “failure to properly secure and safeguard personally identifiable information”. Lead plaintiff Griselda Reyes claims to suffer “anxiety and heightened concerns regarding her privacy” following the breach.

Legal experts note that the exposure of government IDs and private communications may constitute violations of various privacy regulations, potentially subjecting Tea to significant financial penalties and regulatory oversight.

Defamation and Privacy Concerns

The app’s business model already faced legal challenges from men claiming defamation through anonymous reviews. The data breaches have amplified these concerns, with lawyers reporting “hundreds of calls” from individuals distressed about content posted about them on Tea.

Aaron Minc, specializing in online defamation cases, noted that while Tea enjoys some protection under Section 230 of the Communications Decency Act, individual users posting false information could face legal consequences.

Industry Response and Expert Analysis

Cybersecurity Expert Assessments

Security professionals have been uniformly critical of Tea’s security practices. Ted Miracco, CEO of mobile security company Approov, stated: “This is basic cybersecurity and something the company should be held accountable for. They rushed to market and promised consumers to create a safe site, and instead they exposed them”.

Rachel Tobac, CEO of SocialProof Security, emphasized the broader implications: “Any data you collect must be secured. The more information you gather, the more appealing a target you become for cybercriminals”.

Web3 and Decentralization Advocates

The breach has reignited discussions about centralized versus decentralized identity systems. Web3 advocates argue that self-sovereign identity solutions could have prevented such exposure by eliminating the need to store sensitive documents in centralized databases.

Proposals include using zero-knowledge proofs and decentralized identity attestations to verify user credentials without storing actual identity documents, significantly reducing breach impact.

Mitigation and Response Timeline

Company Actions

Tea’s response to the breaches included:

  • July 26: Engaged third-party cybersecurity experts for incident response
  • July 28: Acknowledged second breach and additional data exposure
  • July 29: Disabled direct messaging functionality indefinitely
  • July 30: Announced free identity protection services for affected users

Ongoing Investigation

The company claims to be conducting a “full investigation to assess the scope and impact of the breach” while working with law enforcement agencies. However, users report a lack of direct communication from Tea regarding their specific exposure.

Conclusion

The Tea app data breaches represent a catastrophic failure of security engineering, corporate transparency, and user trust. Two separate vulnerabilities—a misconfigured Firebase storage bucket and an unprotected API endpoint—exposed the most sensitive personal information of thousands of women who trusted the platform with their safety and privacy.

The incident demonstrates how rapidly growing applications can become attractive targets for both cybercriminals and coordinated harassment campaigns. When fundamental security controls fail, the consequences extend far beyond technical metrics to encompass real-world harassment, identity theft, and the weaponization of private communications.

For the cybersecurity community, Tea serves as a stark reminder that security cannot be an afterthought in application development. The combination of sensitive data collection, inadequate technical controls, and a hostile threat environment created perfect conditions for a devastating breach that has permanently compromised user safety and privacy.

The failure of an app designed to protect women from dangerous dating situations to protect its own users from digital predators represents not just a technical failure, but a fundamental betrayal of the trust placed in technology platforms to safeguard vulnerable communities.

I just do cybersecurity stuff.

Discussion

Leave a Comment

Guest comments will be reviewed before appearing on the site.

No comments yet. Be the first to start the discussion!

Suggestions or Report a bug? Contact us!