SAN FRANCISCO, CA – July 26, 2025 – Tea, a women-only dating safety app that surged to the top of the Apple App Store’s free app chart this week, has suffered a massive data breach, exposing approximately 72,000 user images, including sensitive selfies and government-issued identification documents. The breach, first reported by 404 Media and confirmed by Tea on July 25, 2025, has sparked widespread concern over user privacy and the security of online identity verification systems, with hackers sharing the stolen data on platforms like 4chan and X.
Intended Use of the Tea App
Tea, launched in 2023 by Bay Area tech executive Sean Cook, was designed as a “virtual whisper network” to enhance women’s safety in online dating. The app allows female users to anonymously share information about men they date, labeling them as “red flags” or “green flags” based on experiences, and offers tools like AI-powered reverse image searches, background checks, and access to public sex offender databases to verify potential partners. Users can post photos, names, and details of men, mined from social media or dating apps like Tinder and Bumble, and engage in a “Tea Party Group Chat” to discuss dating experiences. The app, which requires users to submit selfies and sometimes government IDs for gender verification, promises anonymity and blocks screenshots to protect privacy. With over 4 million users and nearly 2 million new signups in recent days, Tea’s mission is to help women avoid catfishing, abuse, or unsafe encounters, inspired by Cook’s mother’s harrowing online dating experiences.
Data Breached and Type of Data Now Accessible
The breach, discovered on July 25, 2025, involved unauthorized access to a legacy Firebase database (Google’s app development platform) that lacked authentication, making it publicly accessible. According to Tea’s statement, approximately 72,000 images were compromised, including:
- 13,000 verification images: These include selfies and government-issued IDs, such as driver’s licenses, submitted by users to verify their gender during account creation.
- 59,000 public-facing images: These encompass photos, comments, and direct messages posted within the app, which were publicly viewable by other users.
The exposed data, spanning 59.3 GB, was stored in a system retained for compliance with law enforcement requirements related to cyberbullying prevention, dating back to before February 2024. Posts on 4chan, including one stating, revealed links to the unsecured database, allowing hackers to download and share the images. Some of these, including IDs with names and addresses, have surfaced on X and other platforms, though their authenticity remains unverified by some outlets. No email addresses, phone numbers, or payment data were reported compromised, and Tea claims no current user data (post-February 2024) was affected.
Impact of the Breach
The breach has significant implications for Tea’s users and the broader tech industry. For the estimated 13,000 women whose selfies and IDs were leaked, the exposure poses risks of identity theft, harassment, and doxxing. Cybersecurity experts recommend that affected users monitor for suspicious activity and consider identity protection services.
The incident has fueled backlash against Tea, already controversial for its “man-shaming” reputation among critics on platforms like Reddit’s r/MensRights, where users have called for its deletion. A 4chan thread on July 24, 2025, reportedly incited a “hack and leak” campaign, motivated by anger over the app’s premise, which some men fear could lead to misrepresentation or defamation. The breach’s timing, coinciding with Tea’s viral popularity (4 million users and No. 1 on the App Store), amplifies its impact, with users reporting additional issues like “screen loading” errors. A retaliatory men-only app, Teaborn, was briefly launched but removed after accusations of facilitating revenge porn.
Tea has responded by taking the affected database offline, engaging third-party cybersecurity experts, and launching a full investigation. The company stated, “Protecting our users’ privacy and data is our highest priority,” and assured users that systems are being secured to prevent further exposure. However, the breach highlights critical vulnerabilities in Tea’s security, attributed to “vibe coding”—using AI-generated code without rigorous review—and a misconfigured Firebase bucket set to default world-readable settings. This incident echoes similar breaches, like a 2024 age verifier hack, raising questions about online identity verification practices across the tech industry.
The breach could erode user trust in Tea, potentially stalling its growth despite recent signup surges. It also underscores broader risks of storing sensitive data, especially for apps handling personal identification. As Tea works to address the fallout, the incident serves as a cautionary tale for platforms prioritizing user safety while grappling with the challenges of securing sensitive data in a digital age.
