Dating App Tea Breach Exposes Users’ IDs and Messages
Tea, an app built to flag “red-flag” dates, was hacked by 4chan users, leaking 72,000 images—including 13,000 selfies and IDs—and exposing private messages. Stored on Firebase without proper encryption or access controls, legacy and recent data remain vulnerable. Experts call Tea’s security practices negligent and warn that cloud storage demands stronger safeguards.
An app designed to help women spot the “red flags” in their dates became a privacy nightmare when hackers breached its backend. Tea’s users—over 4 million strong—saw selfies, driver’s licenses, and private messages leak onto 4chan, exposing sensitive confessions about infidelity, health, and more.
Background
Launched by software developer Sean Cook, Tea promised an anonymous whistle-network reminiscent of “Are We Dating The Same Guy” Facebook groups. Its surge to the top of Apple’s App Store highlighted a hunger for shared safety tips, but also attracted scrutiny and backlash from users on both sides.
The Breach
On July 25, 2025, 4chan users published 72,000 images from Tea’s Firebase database. Among them were 13,000 selfies and driver’s licenses—documents women had submitted for identity verification until February 2024. Thousands more profile pictures and message threads also became public before Tea detected the hack.
Despite claims that only its “legacy” data was affected, independent researchers found ongoing vulnerabilities exposing private chats about abortion, infidelity, and personal phone numbers. Tea’s promise to delete verification data upon signup no longer holds true.
Expert Critique
“Law enforcement doesn’t set data retention rules—legislatures do,” says Loyola University’s Peter Dordal. He calls Tea’s statement misleading and warns that public cloud buckets should never house unencrypted IDs.
Grant Ho, a security researcher at the University of Chicago, adds, “At a minimum, private data belongs encrypted and behind access controls. Exposing it on a publicly reachable server is negligent.”
Lessons for Developers
- Encrypt sensitive data at rest and in transit, especially IDs and private messages.
- Lock down cloud storage access with strict authentication and minimal permissions.
- Implement clear data retention policies and automate secure deletion after verification.
- Conduct regular third-party security audits to catch misconfigurations before they’re exploited.
Tea’s breach underscores a critical truth: digital whisper networks lose the control and trust their offline counterparts offer. As user-facing platforms gather more personal data, building airtight security becomes not just best practice, but a responsibility to protect every individual in the network.
Keep Reading
View AllUK Online Safety Act Sparks VPN Surge Over Age Verification
New UK Online Safety Act enforces age checks on web content, triggering widespread geoblocks and a surge in VPN use as users seek private access.
Russia’s Aeroflot Flights Halt After Major Cyberattack
Russia’s Aeroflot grounded 60+ flights after Silent Crow and Belarusian hackers seized and destroyed its critical systems.
Gamers Bypass UK Age Checks with Death Stranding Photo Mode
Death Stranding’s photo mode fools Reddit and Discord’s UK age verification face scans. Learn how virtual Sam Bridges bypasses checks and what it means for security.
AI Tools Built for Agencies That Move Fast.
QuarkyByte’s security consulting guides consumer apps to encrypt sensitive data and lock down cloud storage, preventing breaches like Tea’s. Our hands-on vulnerability assessments pinpoint misconfigurations. Secure your user data and maintain trust today.