10 women have sued Tea app after photos hacked, leaked online
The Tea app, made for women to anonymously share information about men in their areas with other women, has been hit with 10 potential class action lawsuits in federal and state courts after a data breach led to the leak of thousands of selfies, ID photos and private conversations online.
All of the lawsuits allege that Tea Dating Advice Inc., the company that created the Tea app, was negligent in its data practices and breached a contract with its users.
The suits could result in Tea having to pay tens of millions of dollars in damages to the plaintiffs, which could be catastrophic for the company, an expert told NBC News.
A Tea spokesperson declined to comment on the lawsuits.
The app gained popularity in late July and climbed to the top of the Apple App Store as many women sought to share information with other women about men they were dating or had dated. The app allows its users to upload photos of men, deem them “red flags” or “green flags” and share other information about them. As of Tuesday, the app was still ranked third on the Apple App Store’s top free apps list.
To join the app, users are required to take verification photos, which Tea has said are deleted after they are submitted. A Tea spokesperson previously told NBC News that “this data was originally stored in compliance with law enforcement requirements related to cyberbullying prevention.”
The first breach occurred July 25. A Tea spokesperson has told NBC News that it consisted of about 72,000 images, 59,000 of which were images in which posts, comments and direct messages were viewable.
404 Media reported two days later that Tea had experienced a second security issue, in which more than 1.1 million user direct messages, spanning from early 2023 to last month, were exposed. Tea had confirmed to NBC News that a breach occurred in which “some direct messages (DMs) were accessed as part of the initial incident.”
Scott Cole, a lawyer who is leading a lawsuit against the app, said his client, Griselda Reyes, signed up for the app only days before the breach happened. The suit says that Reyes had received a notice from Tea that her data was involved in the breach and that as a result, she has since taken action to explore “credit monitoring and identity theft insurance options.” A Tea spokesperson previously said the breach would have given access to a “dataset from prior to February 2024.”
On Tuesday, a judge granted a motion an anonymous plaintiff had filed for her case to be combined with Reyes’ and three others.
“Her particular concerns have more to do with information that she has shared with others on the site and how that might come back to haunt her in the future, and I think that’s probably the No. 1 concern that I’ve heard directly or indirectly from users,” Cole said.
One of the suits lists the right-wing online discussion board 4chan and the social platform X as defendants, alleging that they allowed bad actors to spread users’ personal information. The day before the breach, users on 4chan had called for a “hack and leak” campaign. On the day of the leak, a 4chan user had posted a link that the suit alleges allowed people to download the database of images, some of which appeared to later circulate on X.
On X, users began to circulate a link to a website called TeaSpill that allowed people to rank the photos of the women based on attractiveness. X and 4chan did not respond to requests for comment.
The plaintiff in the suit against Tea, X and 4chan, who is listed anonymously as Jane Doe, joined the app “to anonymously warn other women in her Northern California community about a man who sexually assaulted at least two other women.”
“The app promised her that anonymity. It promised her safety. It promised to delete her verification data. Tea broke every one of those promises,” the suit reads.
Five of the plaintiffs in the suits are named, while five are listed anonymously as Jane Doe.
John Yanchunis, an attorney for a user who filed another case anonymously as Jane Doe on Thursday, said his client has faced immense harassment online because of the breach.
“Because of the breach, some very sensitive information became publicly available, and that led certain individuals to engage in online harassment,” he said. “That’s been devastating to her, as it would be to any individual to be the subject of ridicule. She has suffered emotional distress and has had to take steps to ensure that she can defend as best she can against both the attacks as well as the ongoing threat to identity theft.”
Brian Fitzpatrick, a professor at Vanderbilt Law School who specializes in class action suits, said it can be easy to prove that defendants are liable for data breaches in similar class action lawsuits but harder to prove damages, such as that people’s data is being used maliciously.
But Fitzpatrick said the ways users have been circulating Tea users’ information online, including one who is alleged to have created a map with Tea users’ home addresses, Tea could have a harder time fighting damage claims.
At least four of the suits seek at least $5 million in damages, though the amounts awarded could climb much higher.
Fitzpatrick said that, as in many data breach suits against major companies like MGM Resorts and T-Mobile, settlements can reach hundreds of millions of dollars.
He said such cases typically involve millions of class members, who usually divide the settlement money. For a smaller company like Tea, which, according to its LinkedIn page, has only five employees, an adverse ruling could be extremely detrimental, meaning higher checks for the suit’s class members since its user base is still relatively small compared with those of larger companies.
“We may not know if it will become an actual as opposed to potential class action for months or even years,” Fitzpatrick said. “All the class members are automatically included. They will be given an opportunity to opt out, but if they do not, they are included.”
Many of the suits have classified their class members as those who are “similarly situated” as the plaintiffs. One of the suits reads that its class members “are so numerous that joinder of all members is impracticable,” but that it estimates that it is “composed of millions of individuals who have been damaged” by the Tea app.
The company’s founder, Sean Cook, said in a Medium interview in May that he started Tea after he saw his mom’s dating experiences, including “how easy it was for catfish, scammers and criminals to take advantage of women on dating apps and how little traditional dating apps do to protect users.”
According to his LinkedIn page, Cook created and “self-funded” Tea in November 2022. Before that,he worked in technology in San Francisco since 2019.
Yanchunis and Cole said it is difficult to estimate how much a suit against Tea could be settled for, as the numbers of class members for the suits are still developing. Tea’s website says the app has over 6 million users.
“It could be more of an existential threat to their existence,” Fitzpatrick said. “Not maybe so much because of the amount of money that they might have to pay, but just because, I think, this is awful for their reputation. I don’t know if people are going to trust them anymore, and so they might lose all their users.”
Yanchunis said these cases differ from many other data breach cases because of the sensitivity of the information.
“What’s unique here is the way this app promoted the safety and security of the platform, and so people in this type of app are going to reveal things that they might not otherwise reveal at large,” he said. “I might tell a girlfriend something that I wouldn’t tell anybody else, because we’re in a close relationship. So that kind of information through this app can be disclosed, and it could be very devastating when it’s revealed, as it was in this situation.”
A user of the app, who requested anonymity because of safety concerns, told NBC News that they had been on the app since late 2023 and had felt very anxious and paranoid since the breach.
“Originally, the app was started for women, and I don’t think they should have told the men about it,” the user said. “People should feel free to join the app and read the interesting comments, and if not, then you take that app down.”