An initial misconfigured storage system exposed sensitive verification photos; now, a second leak has revealed deeply personal user conversations.
What happened
The breach involving the Tea app, a women-only platform focused on dating safety, first surfaced when an unsecured Firebase storage bucket exposed 59 GB of user data. This initial leak included selfies, driver’s licenses, and in-app images collected during user verification. Now, a second, separate database has been found, containing over 1.1 million private messages exchanged by users between 2023 and July 2025.
Tea requires users to verify their identity with a government-issued ID and a selfie. Its goal is to create a safer space for women to discuss men they’ve dated or interacted with. However, both the app’s core privacy features and its community promise have now been seriously undermined.
Going deeper
The first leak came to light when an anonymous 4chan user posted about Tea’s publicly accessible Firebase bucket and shared a script to download the data. Tea later confirmed that the exposed information affected users who registered before February 2024 and that the verification photos were retained to assist law enforcement in potential cyberbullying cases.
The second breach was uncovered by security researcher Kasra Rahjerdi and reported by 404 Media. It involves a separate dataset that includes direct messages discussing intimate subjects like abuse, abortion, infidelity, and mental health. According to researchers, the vulnerability stemmed from weak API protections. Any logged-in user could allegedly access another user's messages using their own API key.
In addition to the exposure of sensitive conversations, some messages reportedly contain phone numbers and links to social media profiles. The leaked content is now being shared via torrents and has been repurposed on at least one site allowing public ratings of user selfies, deepening the privacy violation.
What was said
Tea issued a statement confirming that direct messages were part of the breach and that the affected systems have been taken offline. The company said it is working with cybersecurity experts and law enforcement, and it will offer free identity protection to impacted users.
“Out of an abundance of caution, we have taken the affected system offline... We are working to identify any users whose personal information was involved and will be offering free identity protection services to those individuals.”
The big picture
According to IBM’s 2024 Cost of a Data Breach Report, breaches involving personal and sensitive data from social platforms averaged $164 per record in exposure costs. With over 1.1 million leaked direct messages and thousands of ID-linked selfies, the Tea incident could represent one of the most personally invasive breaches of the year.
FAQs
Could the API vulnerability have been prevented with standard authentication checks?
Yes. Enforcing role-based access and validating user-session scopes could have restricted users to their own data. These are standard safeguards in secure API design.
Are there regulations requiring platforms to delete ID photos after verification?
Data protection laws vary, but most privacy frameworks (like GDPR and some U.S. state laws) recommend data minimization and timely deletion unless there's a compelling legal basis to retain it.
Can leaked data on torrents or rating sites be taken down?
Takedown efforts are difficult once data is on decentralized platforms or mirrored sites. Companies can file DMCA takedown notices or work with cybersecurity vendors, but complete removal is rarely guaranteed.
Farah Amod
