Tea, which positioned itself as a safe, anonymous platform for women to share dating experiences and flag potential risks with men, saw a major leak of sensitive user content, including thousands of images and private messages.
Scope of the Breach
According to initial reports, hackers accessed a legacy database containing data uploaded before February 2024. The breach involved approximately 72,000 images, which included around 13,000 highly confidential verification selfies and photographs of government IDs—document uploads women provided to verify their identity upon joining the app. An additional 59,000 images, largely comprised of content from posts, comments, and direct messages, were also exposed. Many of these were initially viewable within the app, but their dissemination outside the protected environment now poses serious privacy concerns.
The compromised data began appearing on public forums such as 4chan, following the discovery that Tea’s old database had been left accessible online without proper authentication. While Tea has confirmed that no personal contact details such as email addresses or phone numbers were leaked, only users who joined the app prior to February 2024 are known to be affected.
Context and Concerns
Tea achieved rapid popularity, becoming one of the App Store’s most downloaded social platforms thanks to its promise of safety and community support for women. The app’s controversial requirement that users submit verification selfies or even government identification was designed to ensure an all-women environment—a policy praised for safety but criticized for carrying inherent privacy risks.
Some industry analysts and cybersecurity experts have pointed to lapses in Tea’s data protection policies, noting that many of the most sensitive files, including ID photos and private messages, were stored without sufficient encryption. These shortcomings ultimately undermined the app’s promise of confidentiality, particularly damaging as Tea’s core mission is to protect women from real-world threats and online harassment.
In response to the breach, Tea’s management has taken parts of the service offline, including its messaging system. Company leadership issued a formal apology, stating that the archived data was originally retained to meet legal obligations related to the prevention of cyberbullying—not for any commercial use. Tea developers are now working with cybersecurity professionals and law enforcement authorities to further contain the damage and prevent future incidents.