The women-only dating review app Tea suffered a major data breach exposing around 72,000 private images, including government IDs and selfies, after users on 4chan posted a public link to the app’s exposed storage database. Users who joined before February 2024 are affected, raising urgent concerns over digital privacy and platform security.
Massive Tea App Data Exposure: Selfies and IDs Leaked
Tea confirmed that approximately 13,000 images submitted during account verification—selfies or government-issued ID scans—were accessed without authorization. An additional 59,000 images tied to in-app content, including comments, direct messages, and posts, were also compromised. The data was stored in an unprotected Firebase archive dating back over two years—despite the company’s claims that verification photos are deleted after review.
@nbcnews Hackers have breached the TeaApp, which recently went viral as a place for women to safely talk about men, and tens of thousands of women’s selfies and photo IDs have now seemingly been leaked online. NBC News’ @angelayeyang reports on the app and the backlash it has received.
Tea emphasized that no email addresses or phone numbers were exposed, and that the breach affects only legacy user data. The company has engaged third‑party cybersecurity experts and asserts that no current user data appears impacted.
4chan Public Leak
The breach was discovered after a 4chan thread called for a “hack and leak” campaign, prompting users to scan public-facing Firebase buckets. One user posted the exposed URL and bragged, “Drivers licenses and face pics! Get in here before they shut it down!”.
404 Media investigated and confirmed that Tea used an unsecured Firebase bucket, making sensitive images accessible to anyone. The leaked files were later posted on 4chan and X (formerly Twitter), though 404 Media did not access the files directly.
Tea’s Mission vs. Its Security Failure
Tea was created in 2023 by Sean Cook to address online dating safety: it allows women to anonymously share experiences, rate men as “red flags” or “green flags”, and access features like reverse image search and background checks. During sign-up, users must upload a selfie and ID to verify they are women; Tea promised this data would be deleted immediately after review, and the app blocks screenshots to preserve anonymity.
Ironically, the data meant to protect women has now exposed them. Tea had recently become the top free app on Apple’s U.S. App Store, with over two million new sign‑up requests and a reported user base of 1.6 to 4 million users.
Users took to Reddit and social media to express outrage. One comment summed up the sentiment:
Hackers leak 13,000 user photos and IDs from the Tea app, designed as a women's safe space
byu/MysteriousEdge5643 innews
Digital privacy experts warned that mandatory verification can create points of failure—especially when developers underestimate risks in backend storage ([turn0search18]).
Legal analysts suggest potential class-action litigation, citing the breach of extremely sensitive biometric ID data—despite Tea’s assurances. Privacy advocates caution that Tea’s failure shows how safety-focused design can clash with uncompromised data security.
In response, Tea “locked down” the exposed database and is conducting a full forensic investigation with cybersecurity firms. A message from admin account “TaraTeaAdmin” appeared in-app to inform users directly.
Tea stated: “Protecting our users’ privacy and data is our highest priority,” and noted there is no evidence yet of additional data compromise. The company also reiterated its policy of deleting verification images after processing, despite current evidence showing otherwise.
Privacy Promises vs. Practical Reality
Tea’s rise reflects increasing demand for women-centric safety tools in online dating. But the breach underscores that real safety depends on robust infrastructure—not just branding. Experts say this incident reveals systemic vulnerabilities in how apps store sensitive identity data, especially when built to scale rapidly.
It also reignites debate on ethics and accountability: anonymous review mechanisms risk defamation, and now users’ identities are exposed. Legislators may demand stricter rules on retention limits, encryption mandates, and transparency for apps collecting IDs and biometric info.
Tea’s experience may become a case study prompting tighter regulations for dating and safety platforms—especially those requiring sensitive content like driver’s license photos or facial matching.
Tea’s vision of offering women a safer space has been upended by major security flaws. The breach of legacy verification data—once considered secure—now exposes a fundamental paradox: platforms built for protection can inadvertently become vulnerabilities.
As Tea works to restore trust, users are left questioning whether the convenience of verification is worth the risk—and whether tech-driven safety tools can truly safeguard those they serve.
