Spill the Tea: “Tea” the #1 Women’s Dating App Faces Major Data Breach — Private Data Publicly Exposed

Posted on

Tea, a popular anonymous dating app for women, has suffered a major data breach, exposing private messages and photos. Here’s a breakdown of what happened and essential lessons to improve cybersecurity.

What Is the Tea App, and Why Did It Go Viral?

Launched in 2023 by a U.S. team, Tea became the go-to anonymous dating and experience-sharing for women. Users tag men with ‘red flags’ (warnings) or ‘green flags’ (positive traits), upload photos or names, and share research like background checks to expose scammers.

Founder Sean Cook stated on the official website that Tea was inspired by his mother’s “difficult experiences with online dating, including scams and encounters with men with criminal backgrounds.  The app also claims to donate 10% of its profits to the National Domestic Violence Hotline in the U.S.

To join, users upload a selfie and a government-issued ID for verification. Tea claims this information is deleted after approval, with user identities protected via anonymized codes. The app also prevents screenshots in an effort to safeguard women’s privacy and safety.

In July 2025, Tea became the #1 free app on the Apple App Store, surpassing 2 million users in record time.

How the Tea App Data Breach Unfolded

First: Photos Leaked Online

On July 25, 2025, an anonymous post appeared on the forum 4chan, alleging that Tea was using an insecure Firebase database to store users’ ID documents and selfie photos. The post included a link claiming to provide access to the stolen image archive. Soon after, thousands of photos—reportedly identity verification images—began circulating on 4chan and X (formerly Twitter).

Media investigations later confirmed the leak included roughly 72,000 user images, consisting of:

  • 13,000 selfies and government ID photos used for identity verification
  • 59,000 images shared through user posts, comments, and private messages

On July 26, a Tea spokesperson acknowledged “unauthorized access” to a legacy database, clarifying the leak affected users registered before February 2024. The company emphasized that email addresses and phone numbers were not part of the leak and that they had engaged a third-party cybersecurity firm to investigate and reinforce their security infrastructure.

Second: Private Messages Exposed

 

The situation escalated when Cybersecurity researcher Kasra Rahjerdi disclosed that Tea’s weak Firebase setup also exposed over 1.1 million private messages sent between February 2023 and July 2025. These messages included deeply personal topics—divorce, abortion, infidelity, and sexual assault—sometimes revealing phone numbers and meeting locations. On July 29, Tea announced it had notified users and disabled direct messaging to stop further leaks, promising further support for those affected including the provision of free identity protection services to affected users.

Why Did the Breach Happen? 3 Critical Security Flaws

Whenever a major data breach happens, the first question many people ask is: How did hackers get in? And how could the company let this happen? As cybersecurity professionals, we can identify three key missteps in the Tea App incident that likely opened the door to attackers.

1. Promised Deletion, But the Data Was Still There

Tea’s onboarding process requires users to upload a selfie and a government-issued ID for verification. The company publicly claimed that this data would be deleted after verification. However, the leaked database shows that information from users who registered before February 2024 was still stored on outdated servers.

This reveals two serious issues:

  • Broken promises: Users trusted that their sensitive documents would be deleted. Instead, they remained on the servers—out of sight, but far from gone.
  • Poor data lifecycle management: Even when the data was no longer needed, it wasn’t purged or archived securely. Essentially, a treasure trove of sensitive information was left behind for hackers to find.

For an app that promotes anonymous use and women’s safety, this lapse severely undermines user trust and brand credibility.

2. Poor Data Storage Decisions and Weak Access Controls

Tea relied on Google Firebase to store user data. While Firebase is a powerful cloud platform, simply using a big-name provider doesn’t guarantee security.

Cybersecurity researchers found that Tea’s stored images and message content were neither properly encrypted nor access-restricted. This meant attackers were able to scan Firebase’s public-facing API and discover unsecured access points, allowing them to retrieve raw user data with little resistance.

Think of it this way: Tea put sensitive documents in a safe—but left the door wide open and forgot to lock it. Anyone who stumbled upon it could peek inside, take photos, or walk away with copies.

This highlights a crucial lesson: cloud infrastructure still requires strong configuration and oversight. Choosing a trusted platform is just the first step; setting up secure access policies is equally important.

3. Storing Far More Data Than Necessary

Under modern data protection principles—such as data minimization outlined in regulations like the GDPR—companies are expected to collect and retain only what’s strictly necessary to provide their services. Tea, however, retained far more than it should have, including:

  • Private user messages, sometimes containing intimate details about sexual experiences, emotional conflicts, or contact information
  • Identity verification materials such as government-issued IDs and selfies
  • Legacy image backups and outdated databases from inactive or early users

This kind of information is not only deeply sensitive—it should never have been stored long-term in the first place.

The more data a company holds, the higher the potential damage if a breach occurs. By holding onto unnecessary and high-risk information, Tea made itself a bigger target—and its users more vulnerable.

How Can Companies Avoid Becoming the Next Tea?

1. Collect Only Essential Data:

Companies should collect only the personal data that is truly necessary and be transparent with users about the purpose and retention period of that data. For example, Tea required users to upload government IDs and selfies but failed to properly delete and protect this sensitive information, effectively creating a ticking security time bomb.

Recommendation: When designing service workflows, always ask:

  • “Is this piece of data really needed?”
  • “When can it be safely deleted?”

2. Establish Robust Data Lifecycle Management

Every stage of data handling—from collection, storage, access, backup, to deletion—should have clearly defined processes and responsible personnel. Companies must avoid letting expired or unnecessary data linger unmanaged for months or years, as happened with Tea’s outdated databases.

Recommendation: Implement automated data deletion mechanisms, conduct regular audits of old data, and maintain detailed records of data retention and deletion activities.

3. Enforce Access Controls and Adopt a Zero Trust Architecture to Mitigate Internal and External Risks

The Tea data breach highlights not only the lack of encryption on their database but also a critical failure in restricting who could access the data. Without strict identity verification and permission controls, anyone could read sensitive information.

Modern cybersecurity has evolved from simply “building a wall to keep outsiders out” to adopting a Zero Trust model—which means never trusting any user or device by default.

In practice, this means:

  • Every data access request, whether from internal employees or third-party vendors, must be authenticated and authorized
  • Users can only access the specific data they’re permitted to see
  • Abnormal device behavior, network conditions, or user activity triggers additional verification

At the core of these practices are Multi-Factor Authentication (MFA) and dynamic access controls, which form the foundation of a strong Zero Trust strategy.

Keypasco ZTNA is a cybersecurity solution built on Zero Trust Network Access principles. Developed in line with U.S. NIST and CISA standards, as well as Taiwan’s government Zero Trust framework, it is certified by the National Institute of Cyber Security. Keypasco ZTNA employs identity verification, device authentication, and trust inference technologies to help organizations achieve comprehensive and robust cybersecurity protection.

  • Identity Verification: Offers multi-factor authentication, including FIDO U2F and FIDO2 solutions.
  • Device Authentication: Scans device attributes and software information, storing them on Keypasco servers for device validation.
  • Trust Inference: Uses artificial intelligence to analyze behavior, continuously assess risk, and trigger additional authentication when needed.

Keypasco meets global standards and is trusted by government, finance, healthcare, smart building, and high-tech organizations worldwide. As cyber threats evolve, we remain committed to empowering organizations with robust, future-ready security solutions. This ensures that they stay compliant, resilient, and ahead of the curve in a rapidly changing digital landscape.

Ready to strengthen your security with Zero Trust or MFA but need guidance?

[Click here to connect with a specialist now.]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.