The women’s dating advice application, Tea, designed to provide a secure platform for users to share anonymous reviews and warnings about men in the dating scene, has confirmed a significant data breach. This incident, which came to light in late July 2025, resulted in the exposure of over 72,000 user images.
The compromised data included approximately 13,000 selfies and photographs of users’ driver’s licenses or other government-issued identification documents, which were submitted for account verification purposes. In addition to these highly sensitive verification images, another 59,000 images that were publicly viewable within the app—such as those shared in posts, comments, and direct messages—were also accessed without authorization.
The company, Tea Dating Advice Inc., stated that the breach affected a “legacy data storage system” containing information from users who signed up before February 2024. Importantly, no email addresses or phone numbers were reportedly accessed in this initial breach. However, this distinction offers little solace given the nature and volume of the visual personal identifiable information (PII) that was compromised. The breach has been described as a “catastrophic privacy failure,” particularly for an app that marketed itself as a “safe space” for women.
The breakdown of the 72,000 exposed images reveals a critical vulnerability: 13,000 were direct selfies or selfies featuring photo identification, an extremely sensitive category of data. The remaining 59,000 images were content shared within the app’s ecosystem, which, while potentially public internally, were not intended for unrestricted external access or malicious exploitation.
Tea confirmed the breach resulted from unauthorized access to one of its systems, specifically an “identifier link” where pre-February 2024 data was stored. This “legacy system” was reportedly kept online “in accordance with law enforcement requirements related to cyber-bullying investigations,” a point the company acknowledged should have prompted a move to a “new fortified system.” The fact that the data was stored unencrypted and accessible via a simple URL further exacerbates the incident’s severity. The breach exposes users to potential identity theft, fraud, and targeted harassment, given the app’s specific user base. A subsequent, more severe security issue also led to the exposure of over 1.1 million private direct messages containing deeply personal discussions and real phone numbers.
Initial reports of the Tea app data breach surfaced from security researchers and online communities, notably the message board website 4chan. According to 404 Media, which was among the first to report on the incident, users on 4chan discovered an exposed database that “allowed anyone to access the material” from Tea. This was not a sophisticated, targeted hack, but rather an exploitation of a publicly accessible URL leading to a voluminous list of specific app attachments.
The researchers found the database, hosted on Google’s Firebase platform, lacked basic security protocols, allowing anyone with the URL to browse the images without authentication. This enabled the mass downloading and subsequent dissemination of the 72,000 images. The data was dumped on 4chan, a platform known for malicious activity, leading to the images being spread further and weaponized against users. A post on 4chan explicitly stated: “Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It’s a public bucket,” urging others to “GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!”
