The Tea dating safety (dubbed Tea Dating Advice in the App Store) has gone viral in recent months, stirring up some controversy in the process. Tea is an app available only to women who have to verify their identity by uploading selfies and pictures of photo IDs. The purpose of Tea is to let women have anonymous conversations about the men they’re dating and prevent each other from interacting with potentially unsavory individuals.
Tea rose to the top of the App Store recently, becoming the top free Apple app, where it topped 2 million downloads. It also rose in the Play Store rankings, as the app is available on Android as well. But it wasn’t just women who took notice. Some men felt threatened by the app. The New York Times pointed out that some critics on the anonymous message board 4chan called for Tea to be hacked.
It turns out that a hack occurred on Friday, July 25, but neither the Tea app or website was breached. Instead, an unsecured database containing tens of thousands of records was discovered online. Anyone could access it with the correct link and see user data, including selfie images, photos of IDs, and screenshots from conversations. Even location data could be obtained from the images. Tea confirmed the data breach after it became widely reported online.
What personal data did the hackers steal?
Labeling the people who breached the unsecured database as hackers is an exaggeration. But those people who had access to the link could extract (and have stolen) thousands of data records. “A legacy data storage system was compromised, resulting in unauthorized access to a dataset from prior to February 2024. This dataset includes approximately 72,000 images, including approximately 13,000 selfies and photo identification submitted by users during account verification and approximately 59,000 images publicly viewable in the app from posts, comments, and direct messages,” Tea wrote on its website.
Tea also said that email addresses or phone numbers were not obtained, adding that the data was stored online “in accordance with law enforcement requirements related to cyber-bullying investigations.” The data should have been secured by strong protection. Tea failed to move the database to a “new fortified system.”
Once obtained, the Tea photos were then shared online, including on 4chan. 404 Media first reported the hack on Friday. The New York Times notes that some people circulated a purported map that contained locations extracted from images Tea users submitted, but it couldn’t verify the map information.
Why does Tea collect sensitive information?
Tea’s motto is “women should never have to compromise their safety while dating,” per Reuters. But Tea has to verify each new user before allowing them to comment on the platform and post information about potentially dangerous men.
During that process, Tea will collect photos like the ones shared online. Tea details that practice in the privacy policy. “During the registration process, users are required to submit a selfie photo for verification purposes. This photo is securely processed and stored only temporarily and will be deleted immediately following the completion of the verification process,” the document reads.
However, the database exposed in the breach contains sensitive information that was not deleted. The company explained in the blog post announcing the data breach that the information in the hacked database had to be kept. “This data was originally archived in compliance with law enforcement requirements related to cyber-bullying prevention. At this time, we have no evidence to suggest that photos can be linked to specific users within the app,” the FAQ section reads.
What you can do to protect yourself
Only Tea users who signed up before February 2024 were affected by the breach. Given the figures above, only a few thousand out of the more than 4 million Tea users were affected. Still, these women are at risk now that their selfies and IDs were leaked. Other attackers might want to use that information to initiate identity theft campaigns. Certain individuals might resort to other types of attacks, like trying to identify Tea users, stalk them online and in real life, and even seek revenge via deepfake campaigns.
In other words, the security threat might be significant to potential victims, even if it seems small in scope. But it’s unclear whether Tea will specifically inform the users who were impacted by the breach. Instead, the company says that users who have questions and concerns can reach out to support@teaforwomen.com for information.
“We have engaged third-party cybersecurity experts and are working around the clock to secure our systems,” Tea explains in the FAQ section. “At this time, we have implemented additional security measures and have fixed the data issue. We are currently working to determine the full nature and scope of information involved in the incident. Protecting our users’ privacy and data is our highest priority. We are taking every necessary step to ensure the security of our platform and prevent further exposure.”
Anyone who suspects that they might have been impacted should reach out to Tea and find out whether their information was part of the data breach. Users should also consider replacing their IDs, freezing their credit, and researching identity theft protection. It’s unclear whether Tea will provide any assistance with potential ID theft in the future.