Viral Tea App Breached, Exposing 13,000 Private User Images
Tea, the viral app that allows women to anonymously share photos of men they’re dating, has been … More
Tea, the viral app that allows women to anonymously share photos of men they’re dating, has been breached.
Over 72,000 images including 13,000 Tea user photos and government ID images — as well as 59,000 images from posts, comments and direct messages — have apparently been leaked online, according to a report in 404 Media.
The 4Chan users told 404 Media they had found the images via an exposed database hosted on Google’s mobile app development platform Firebase.
The data trove of Tea users was reportedly shared on controversial platform 4Chan in the early hours of July 25, with information also available on X, formally Twitter.
It came after the app was attacked by men as it went viral last week, seeing over a million downloads. Men are concerned about the way Tea — which allows women to “spill Tea” about their dates and expose things such as infidelity — could be open to misuse. A thread posted on the right wing troll message board of 4Chan on July 24 allegedly called for a “hack and leak” campaign, according to NBC News.
Tea allows women to “spill Tea” about their dates and expose things such as infidelity
“Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It’s a public bucket,” a post on 4chan providing details of the vulnerability reads, according to 404 Media. “DRIVERS LICENSES AND FACE PICS! GET THE F*** IN HERE BEFORE THEY SHUT IT DOWN!”
Meanwhile, a map on Google Maps had been created that claims to show Tea users’ locations — although it does not include names — according to NBC News.
The Tea user photos are a result of the sign up process, which requires people to take selfies to prove they are who they say. This allows them to post anonymously on the app and Tea says the images are deleted after review.
Data Accessed During The Tea Breach
The data accessed was from 2023, according to a Tea spokesperson who was talking to NBC News. “This data was originally stored in compliance with law enforcement requirements related to cyberbullying prevention,” they told NBC.
Tea “should be made accountable for this misinterpretation of how to record private information,” says Jake Moore, global cybersecurity advisor at ESET. “This data should never have been stored, let alone made accessible.”
He points out that the Tea breach took place “on the same weekend” the Online Safety Bill came into place in the UK. The Bill requires UK users to upload their IDs to view certain over-18s websites or content.
I have asked Tea for a comment and will update this article if the firm responds.
The Tea app is intended to create a safe space for women to share information about their dates online. The idea itself is noble, however, this data leak had shown the issues with the app itself — as well as the consequences when platforms don’t have enough guardrails in place to protect users.