Tea app suffers breach, exposing thousands of user images

Tea, an app that claims to help women “make sure your date is safe, not a catfish and not in a relationship,” is experiencing a security breach. 404 Media reports that a database posted on 4chan allowed anyone to access users’ data. (It’s since been removed.) The dataset included thousands of images, including driver’s licenses.

4chan users claimed the data came from an exposed database hosted on Firebase, Google’s app development platform. 404 Media verified that the exposed storage bucket URL matches one found in Tea’s Android app.

The company confirmed the breach. In a statement to 404 Media, Tea said it “identified unauthorized access to one of our systems and immediately launched a full investigation to assess the scope and impact.” The company stated that the exposed information included data from over two years ago. It included 72,000 images, including selfies, photo IDs and pictures from app posts and DMs.

“This data was originally stored in compliance with law enforcement requirements related to cyber-bullying prevention,” Tea said. “We have engaged third-party cybersecurity experts and are working around the clock to secure our systems. At this time, there is no evidence to suggest that current or additional user data was affected. Protecting our users’ privacy and data is our highest priority. We are taking every necessary step to ensure the security of our platform and prevent further exposure.”

The app allows users to post photos of “red-flag” men. “Already swiping for dates on Tinder, Bumble, Match or Hinge?” the app’s Play Store pitch reads. “Tea is a must-have app, helping women avoid red flags before the first date with dating advice and showing them who’s really behind the profile of the person they’re dating.”

Its Play Store listing highlights a reverse phone number lookup. It has sections for men’s real names, ages, addresses, social profiles and relationship statuses. Other features include a reverse image search and background checks to help women “get the tea on your date.” Users can poll others about whether they should date new matches.

The app requires new users to submit a verification selfie and a photo of their government-issued ID. Tea told 404 Media that it uses this to verify that new signups are indeed women.

The timing of the breach coincided with the app’s surge in popularity. According to Business Insider, Tea hit the top of Apple’s App Store this week. The app first launched in 2023.