26.07.2025 00:22

A massive data breach has compromised the personal information of tens of thousands of users of the women-only dating app, Tea. This security failure exposed a staggering amount of sensitive data, highlighting significant vulnerabilities in the app's design and implementation.

Over 72,000 user records were leaked, including selfies, government-issued identification documents, and private direct messages. This breach resulted from a completely unsecured database, lacking any password protection or encryption, allowing unauthorized access to the app's backend. The sheer volume of data exposed – a massive 59.3 GB – underscores the severity of this incident. Among the leaked data were 13,000+ verification selfies and IDs, tens of thousands of images from messages and public posts, and identification details dating as recently as 2024 and 2025, directly contradicting Tea’s claims that only "old data" was compromised.

Initially shared on 4chan, the leaked data rapidly spread across decentralized platforms like BitTorrent, making its complete removal virtually impossible. Automated scraping scripts further exacerbated the issue, ensuring the widespread dissemination of the stolen information even after the original 4chan thread was deleted. This uncontrolled spread of the data has resulted in a searchable database of the compromised personal information, available online.

The incident marks a dramatic downfall for Tea, which had recently achieved top ranking on the App Store, boasting over 4 million users. Marketed as a safe space for women to discuss men, the app's rapid growth was followed by this devastating security lapse. Ironically, an app intended to protect women from online threats ended up exposing its entire user base to significant risk. The irony was not lost on many online commenters, who pointed to the app's controversial "man-shaming" aspects as contributing to the overall situation. The requirement for users to upload government IDs and selfies for verification, intended to prevent fake accounts, instead became a major point of vulnerability in this significant data breach. The company's response to this incident remains undisclosed in this account.