A hacker intrusion into the Tea app has led to the leak of tens of thousands of user selfies and government-issued ID photos.
Tea, a women-only social platform, allows users to post personal information about current, past, or potential romantic partners.
A spokesperson for Tea has confirmed the data breach.
According to the company, the attackers accessed a database containing around 72,000 images, including 13,000 selfies and government-issued ID photos used for identity verification.
The leaked data consisted of content submitted by users during the sign-up process for identity confirmation.
How the Tea App Works
Tea has recently gained viral popularity on social media and even topped the Apple App Store’s free download rankings.
The app functions as a “virtual review network,” where women can upload photos of men, search by name, and anonymously share reviews labeled as “red flags” (warning signs) or “green flags” (positive signs).
Tea promises user anonymity and prohibits screenshots within the app.
To register, users must submit a selfie to verify their gender — a step the company says ensures “safety and exclusivity.”
According to Tea’s official website, these selfies are deleted shortly after verification, but that claim is now being questioned in light of the recent breach.
Details of the Data Breach
Tea’s spokesperson said the leaked data came from a database stored more than two years ago.
The data was originally archived “to comply with law enforcement requirements related to cyberbullying prevention,” the company explained.
Following the breach, Tea announced that it has partnered with a third-party cybersecurity firm and is working “around the clock” to secure its systems.
“The privacy and protection of our users’ data are our top priorities,” the company said, adding that it is taking “every necessary measure to prevent this from happening again.”
However, the situation worsened on Monday.
404 Media reported a second vulnerability that exposed over 1.1 million direct messages exchanged on the app between early 2023 and last week.
Some of these messages reportedly contained highly personal information that could identify users.
Cybersecurity researcher Kasra Rahjerdi stated that the flaw could have allowed third parties to send push notifications to users.
He added that others might have accessed the data before his report, though it remains unclear whether any of it was actually downloaded.
Tea has since taken the affected systems offline and announced plans to offer free identity protection services to impacted users.
The company is also working to identify the personal data that may have been compromised.
Online Forum Involvement and Potential Misuse
The Tea app breach appears to be linked to activity on certain online communities.
On the controversial site 4Chan, posts emerged calling for a “hack-and-leak” campaign targeting Tea.
By Friday morning, users on 4Chan had shared links allegedly allowing downloads of stolen images, and photos believed to be Tea users’ IDs began circulating on 4Chan and X (formerly Twitter).
However, the authenticity of these images has not been independently verified.
Additionally, a Google Map was reportedly created, allegedly showing the locations of users affected by the breach.
Although no names were included, the exposure of location data has intensified concerns over user safety and privacy.
There were also reports that some leaked data had been used to identify individuals affiliated with U.S. military bases.
On one cybercrime forum, a seller claimed to be offering a “55GB data dump containing selfies and ID photos.”
Several researchers believe the hackers exploited a misconfiguration in Google’s Firebase cloud service, which likely served as the entry point.
The storage bucket was confirmed to have been publicly accessible even before the breach was made public.
User Reactions
The Tea data breach has sparked outrage and anxiety among users.
The app’s sign-up process explicitly states that “verification images are deleted after review,” a promise now seen as broken.
Tea’s Instagram page has been flooded with angry and disappointed comments — including complaints from users who remain stuck on the waitlist despite the company’s claims of “millions of new sign-ups.”
The controversy has also reignited debate over the app’s very concept.
While Tea was designed as a platform for women to protect themselves and share experiences, critics argue it may encourage baseless accusations and online harassment.
Some men have expressed concern that misunderstandings or false “red flag” labels could damage their reputations.