Significant security vulnerabilities in the Tea app have compromised the private chats and personal data of at least tens of thousands of users. The app, which aims to enhance dating safety for women by allowing them to share “red flags” about men they have encountered, recently boasted four million active users after reaching the top of the App Store.
The Tea app enables female users to label men’s dating profiles with various “red flags,” such as ghosting, infidelity, or instances of sexual assault. It also features reverse image searches to help identify the individuals behind these profiles. The app has faced criticism regarding its privacy policies, with some men arguing against being linked to their social media accounts. However, these controversies escalated following the discovery of the security breaches.
First Breach Exposes Sensitive Data
According to a report by 404 Media, the first major breach was discovered when users on the online forum 4chan found an exposed database containing sensitive personal information. This included selfies and images of driver’s licenses that users uploaded to verify their identities. Users reportedly sifted through this data, sharing it online, as evidenced by screenshots and posts reviewed by 404 Media.
In response to the breach, a representative for Tea confirmed that some direct messages were also affected but stated that the compromised data was from two years ago. This assertion raised concerns, particularly since the app’s developers had claimed that identity documents would be deleted post-verification.
Second Breach Reveals More Recent Data
However, the claim regarding the age of the data quickly came into question. A follow-up investigation by 404 Media revealed that hackers had accessed private messages exchanged between users, including discussions about abortions, cheating partners, and exchanged phone numbers. This data was as recent as one week prior to the discovery, contradicting Tea’s earlier statements.
An independent security researcher confirmed that the second breach involved a separate database, compromising user messages up until just days ago. The researcher also noted that it was possible for hackers to send push notifications to all of Tea’s users. Although the chats were associated with usernames instead of real names, the content often contained enough identifying information to make it easy to determine the account holders’ identities. Female users frequently shared links to their social media profiles, while the male users accused of misconduct could also be easily identified.
Reports indicate that over 70,000 images have been exposed, although the total number may be much larger, considering the app claimed to have had 1.6 million users before the initial breach was discovered.
The lack of basic security measures, such as end-to-end encryption for private chats and the retention of sensitive verification documents, raises serious concerns. For an app that positions itself as a protector of women’s safety, these failures are particularly troubling. The timing of these breaches is ironic, occurring during a week when UK legislation mandates that tech companies provide governmental access to private messages, further complicating the landscape of user privacy.
As this situation continues to unfold, the implications for user trust and the app’s future remain uncertain. The exposure of such sensitive personal data not only jeopardizes individual privacy but also puts the app’s credibility at risk in a highly competitive market.
