More than a million private messages between users spanning from early 2023 to last week have been exposed.
The US-based mobile app called Tea has been flooding the headlines lately – and perhaps not for the best reasons. The app, designed to provide women with safety tools for dating, has suffered a second major data breach incident in just a matter of days.
Yesterday’s (28 July) cybersecurity incident exposes more than 1.1m private messages between users, and given the nature of the app, the messages are extremely sensitive, with users discussing abortions, cheating allegations and other personal issues. The incident, as well as the first data breach, was reported by 404 media.
Tea is only available to women in the US. The app advertises finding “verified green flag men”, identifying potential catfish – people using fake identities online – and checking for any potential criminal history. The app also offers a phone number directory.
Users on Tea can upload pictures of men, ask questions and discuss them, their behaviour and even rate them.
Although founded in 2023, Tea blew up in popularity on social media just recently. According to its website, Tea now stands at more than 4.6m users and holds top spots on the App Store charts.
However, its popularity has brought it much negative attention, with questions being raised about users engaging in slander, doxxing and disclosing personal details about the men they discuss.
While such questions are valid, it is important to place them in the context of women’s safety in the dating sphere, as well as internet culture in general, where women are most often at the receiving end of abuse.
Last Friday (25 July), it was reported that users from the online forum 4Chan discovered an exposed database and released 72,000 images including 13,000 selfies and photo identifications submitted by users for registration, as well as 59,000 images viewable in the app from posts, comments and direct messages.
Users need to submit a selfie and personal information to verify their identity and gender to join the app. However, the company’s privacy page says the photos are stored temporarily and deleted following the completion of the process.
In its response to Friday’s cybersecurity incident, Tea said that only users who signed up before February 2024 were affected, and added that the information was stored in “accordance with law enforcement requirements related to cyberbullying investigations”. However, the latest breach stretches from early 2023 to just last week.
“We are continuing to work expeditiously to contain the incident and have launched a full investigation with assistance from external cybersecurity firms. We have also reached out to law enforcement and are assisting in their investigation,” a Tea spokesperson told 404 Media regarding the second breach.
The incidents expose Tea users and the people they were discussing to various levels of threat. Although users are anonymous, threat actors can use bits of the information they disclosed to target or locate women. Moreover, concerns around impersonations and cyberthreats through stolen IDs are also rife.
Reports also suggest that the leaked photo IDs are being used on other sites where users can rank Tea users by their attractiveness. These sites have garnered thousands of views. In addition, other male-only apps are also cropping up in response to the Tea app. Some of these apps have been taken down for sharing explicit images.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.