What is the Tea App?
Tea Dating Advice, launched in 2023 by founder Sean Cook, markets itself as a women-only platform that enables users to anonymously share information about men they’ve dated or encountered. The app functions as a crowdsourced background checking service, allowing verified female users to leave reviews categorizing men as “red flags” or “green flags” based on their dating experiences.
The platform gained explosive popularity in July 2025, surging from relative obscurity to the #1 position on Apple’s App Store free apps chart within days. Between July 17-23, downloads increased by 525%, with the company claiming over 4 million total users and 2.5 million new registrations in a single week.
To join Tea, users must undergo a verification process that initially required submitting selfies alongside government-issued photo identification to confirm their identity as women. The app’s privacy policy explicitly stated these verification images would be “deleted immediately” after review.
The First Breach: Firebase Misconfiguration Exposes 72,000 Images
Discovery and Initial Impact
On July 25, 2025, Tea confirmed that cybercriminals had gained unauthorized access to what the company described as a “legacy data storage system”. The breach exposed approximately 72,000 images, including:
- 13,000 verification selfies and government photo IDs submitted during account verification
- 59,000 publicly viewable images from posts, comments, and direct messages within the app
The compromised data affected users who registered before February 2024, when Tea claimed to have transitioned to “a more secure system”.
Technical Root Cause: Unsecured Firebase Storage
Security researchers identified the primary vulnerability as a misconfigured Firebase storage bucket—Google’s cloud-based backend service. The database lacked proper authentication controls, essentially leaving the digital equivalent of an unlocked door that anyone with the correct URL could access.
Anonymous users on the 4chan message board discovered the exposed database and shared a Python script enabling mass download of the stored images. This wasn’t a sophisticated attack requiring advanced hacking skills—it was a basic configuration failure that left sensitive data openly accessible on the internet.
The “Legacy System” Excuse
Tea attributed the breach to storing data “in accordance with law enforcement requirements related to cyber-bullying prevention”, contradicting their own privacy policy that promised immediate deletion of verification photos. This revelation exposed a fundamental dishonesty in the company’s data handling practices and raised serious questions about regulatory compliance.
The Second Breach: API Vulnerability Exposes 1.1 Million Private Messages
A More Devastating Discovery
Just three days after the initial breach disclosure, independent security researcher Kasra Rahjerdi uncovered a second, more damaging vulnerability affecting Tea’s direct messaging system. This separate security flaw exposed over 1.1 million private messages exchanged between users from early 2023 through July 2025.
Unlike the first breach involving historical data, this vulnerability affected current, active communications containing highly sensitive personal information.
API Access Control Failure
The technical cause was a critical flaw in Tea’s Application Programming Interface (API) that handles internal app communications. According to Rahjerdi’s analysis, any authenticated Tea user could access the entire message database using their own API key. This represents a catastrophic failure in access control implementation, allowing unauthorized users to query and extract private conversations at will.
Exposed Content and Real-World Impact
The leaked messages contained deeply personal and sensitive discussions, including:
- Abortion discussions and reproductive health conversations
- Infidelity reports about cheating partners and spouses
- Phone numbers and social media profiles enabling user identification
- Real names and personal details compromising user anonymity
- Meeting locations and private arrangements
Rahjerdi demonstrated that cross-referencing message content with social media profiles made it “trivial to find social media profiles, telephone numbers, and the real-world identities of most users”.
Attack Vectors and Exploitation Methods
4chan Mobilization and Coordinated Harassment
The Tea app became a target for coordinated harassment campaigns after gaining viral attention. Users on 4chan initiated a “hack and leak” operation specifically targeting the platform, motivated by opposition to the app’s concept of allowing women to anonymously review men.
The anonymous forum users not only shared the leaked data but actively weaponized it:
- Created interactive maps purporting to show user locations based on metadata
- Developed rating websites like “Teaspill” allowing visitors to rate stolen selfies
- Distributed torrents of the complete dataset across multiple hacking forums
Social Engineering and Identity Theft Risks
The combination of government IDs, selfies, and personal information creates severe risks for affected users:
- Identity theft facilitation through access to driver’s licenses and verification photos
- SIM swap attack preparation using personal details and phone numbers
- Social engineering campaigns leveraging private conversation content
- Cryptocurrency exchange fraud using verified identity documents
Technical Analysis: Fundamental Security Failures
Firebase Security Misconfigurations
Firebase, while a powerful and scalable backend solution, requires proper security rule implementation to protect sensitive data. Tea’s implementation failures included:
- Public read access to storage buckets containing private images
- Insufficient authentication requirements for data access
- Missing data encryption for sensitive personal information
- Inadequate access logging preventing breach detection
API Security Vulnerabilities
The message exposure resulted from basic API security oversights:
- Missing authorization checks on sensitive endpoints
- Overprivileged API keys allowing broad data access
- Insufficient rate limiting enabling bulk data extraction
- Lack of user-specific access controls in database queries
Data Architecture Problems
Tea’s security failures stem from fundamental architectural decisions:
- Centralized data storage creating single points of failure
- Legacy system maintenance without security updates
- Inconsistent security policies across different app versions
- Inadequate data lifecycle management violating retention policies
Legal and Regulatory Implications
Class Action Lawsuits
Multiple class action lawsuits have been filed against Tea Dating Advice, with plaintiffs alleging “failure to properly secure and safeguard personally identifiable information”. Lead plaintiff Griselda Reyes claims to suffer “anxiety and heightened concerns regarding her privacy” following the breach.
Legal experts note that the exposure of government IDs and private communications may constitute violations of various privacy regulations, potentially subjecting Tea to significant financial penalties and regulatory oversight.
Defamation and Privacy Concerns
The app’s business model already faced legal challenges from men claiming defamation through anonymous reviews. The data breaches have amplified these concerns, with lawyers reporting “hundreds of calls” from individuals distressed about content posted about them on Tea.
Aaron Minc, specializing in online defamation cases, noted that while Tea enjoys some protection under Section 230 of the Communications Decency Act, individual users posting false information could face legal consequences.
Industry Response and Expert Analysis
Cybersecurity Expert Assessments
Security professionals have been uniformly critical of Tea’s security practices. Ted Miracco, CEO of mobile security company Approov, stated: “This is basic cybersecurity and something the company should be held accountable for. They rushed to market and promised consumers to create a safe site, and instead they exposed them”.
Rachel Tobac, CEO of SocialProof Security, emphasized the broader implications: “Any data you collect must be secured. The more information you gather, the more appealing a target you become for cybercriminals”.
Web3 and Decentralization Advocates
The breach has reignited discussions about centralized versus decentralized identity systems. Web3 advocates argue that self-sovereign identity solutions could have prevented such exposure by eliminating the need to store sensitive documents in centralized databases.
Proposals include using zero-knowledge proofs and decentralized identity attestations to verify user credentials without storing actual identity documents, significantly reducing breach impact.
Mitigation and Response Timeline
Company Actions
Tea’s response to the breaches included:
- July 26: Engaged third-party cybersecurity experts for incident response
- July 28: Acknowledged second breach and additional data exposure
- July 29: Disabled direct messaging functionality indefinitely
- July 30: Announced free identity protection services for affected users
Ongoing Investigation
The company claims to be conducting a “full investigation to assess the scope and impact of the breach” while working with law enforcement agencies. However, users report a lack of direct communication from Tea regarding their specific exposure.
Conclusion
The Tea app data breaches represent a catastrophic failure of security engineering, corporate transparency, and user trust. Two separate vulnerabilities—a misconfigured Firebase storage bucket and an unprotected API endpoint—exposed the most sensitive personal information of thousands of women who trusted the platform with their safety and privacy.
The incident demonstrates how rapidly growing applications can become attractive targets for both cybercriminals and coordinated harassment campaigns. When fundamental security controls fail, the consequences extend far beyond technical metrics to encompass real-world harassment, identity theft, and the weaponization of private communications.
For the cybersecurity community, Tea serves as a stark reminder that security cannot be an afterthought in application development. The combination of sensitive data collection, inadequate technical controls, and a hostile threat environment created perfect conditions for a devastating breach that has permanently compromised user safety and privacy.
The failure of an app designed to protect women from dangerous dating situations to protect its own users from digital predators represents not just a technical failure, but a fundamental betrayal of the trust placed in technology platforms to safeguard vulnerable communities.
Discussion
Leave a Comment
Guest comments will be reviewed before appearing on the site.
No comments yet. Be the first to start the discussion!