Major Security Breach at Tea App Exposes Sensitive User Data

An exposed storage system and a second leaked database have compromised the privacy of Tea app users, revealing sensitive messages, IDs and photos.

Safe space turned into security scandal

Once celebrated for its potential as a safe space where women could safely share dating experiences, the Tea app is now at the maelstrom of a massive data breach. Initially designed to allow verified users to review men and flag concerning behavior, the app’s promise of safety has been undermined by a ruthless leak that now includes personal conversations and identity documents.

It started with an unsecured storage bucket that exposed a plethora of sensitive data, including government-issued IDs, selfies, and user-uploaded images. These documents, critical to the app’s verification process, were left vulnerable until a user on 4chan discovered and shared a tool to download them.

Tea has since confirmed the exposure of over 59 GB of data, including 13,000 user-submitted selfies and almost 60,000 other files.

Sensitive data now circulating on hacking forums

Hackers have started sharing torrents comprising the leaked files across multiple forums. Consequently, the personal images and documents once shared for user verification and safety are now being exploited in ways that could lead to harassment or social engineering.

Researchers who examined the leaked data found driver’s licenses and private message attachments. To add insult to injury, a second database, previously undisclosed, was also leaked. In addition to the first leak, which was already serious, the second database adds 1.1 million private messages between users, some of which are highly sensitive. Topics range from intimate relationship struggles to deeply personal experiences like abortion, all now at risk of public exposure.

Public exposure and online harassment

The consequences extend beyond digital privacy, as some individuals have been spotted exploiting the breach by launching websites where users can rate stolen selfies, further violating the privacy of Tea members. This has changed the platform from a protective environment into a potential source of public shaming.

Cybersecurity researcher Kasra Rahjerdi revealed that any authenticated user could have accessed the messages using their API key. Personal identifiers, including phone numbers and social media handles, make it possible to trace individuals in the leaked conversations.

Ongoing investigation and platform response

Tea has taken affected systems offline and involved police in the investigation. In a recent update, the company acknowledged that some private messages were accessed and promised to provide identity protection services to impacted users.

While Tea says it’s reinforcing security measures, the damage to its community and its reputation may prove harder to heal.

Managing the fallout of data breaches

Although data leaks like this occur indiscriminately and outside the control of users, it doesn’t mean you shouldn’t be prepared. Dedicated services like Bitdefender Digital Identity Protection can help you monitor the extent of your online data, including traces from no-longer-used services.

It constantly scans both the public and Dark Web for your data, notifies you instantly if you have been compromised by a data breach, and lets you patch weak spots in your digital footprint with quick, one-click action items.