The Tea app is a platform known for letting women anonymously review men. It recently experienced a security failure that has affected tens of thousands of users. On Friday, Tea detected unauthorised access to its systems and started a full investigation with help from outside cybersecurity firms. The company traced the incident to a legacy storage system that contained old user data, including ID documents and profile images.
Tea confirmed that roughly 72,000 images were accessed without permission. This number included around 13,000 selfies and ID photos submitted during account verification, as well as 59,000 pictures already shared in posts, comments and messages. The content came from accounts created before February 2024.
Security researcher Kasra Rahjerdi said the issue was linked to a misconfigured Firebase storage bucket, which left Tea’s data exposed. Firebase is a Google cloud-based service used to store app information. Rahjerdi noted that while Tea’s custom-built API was well protected, the company failed to secure its Firebase data with the same care.
What Kind Of Information Was Exposed?
Besides the images, the breach affected over 1.1 million private direct messages. These chats, exchanged between February 2023 and July 2025, contained deeply personal information. Rahjerdi told Business Insider that the messages included conversations about divorce, cheating, abortion and rape. In some cases, users had shared phone numbers and location details.
Tea took its direct messaging system offline after confirming the breach. The company also posted an in-app notice to users, saying it had informed law enforcement and was working with the FBI and outside investigators. Tea said it is now contacting affected users and will offer them identity protection services.
Although Tea has not found signs that other parts of the app were accessed, the investigation is ongoing. The company has promised to update users as soon as it can confirm more details.
What Has The Company Done Since?
In response to the breach, Tea disabled the systems linked to the exposed data. The company said the content in question was archived to meet requirements from law enforcement around cyberbullying, and that newer users were not affected. Accounts created after February 2024 were verified through updated systems and stored differently.
Tea is working with cybersecurity specialists to prevent any more leaks. It has introduced new safety checks and says it is reviewing how user information is stored. The app’s developers said no email addresses or phone numbers were accessed directly. But given the nature of the exposed messages, some users may still be at risk of being identified.
Tea has confirmed that users who want to delete their accounts can still do so, and has shared contact details for anyone needing help. Meanwhile, its DM feature remains down as the company tests security fixes.
More from News
- PASS Accelerates Team Growth Following Successful Rollout Of New AI And Data Suite; Passgenius™
- Experts Share: What Does A Future With AI Search Engines Mean For Online Businesses/SEO?
- How Is AI Impacting Payroll In The UK?
- How Reliable Is Disaster Prediction Technology?
- Rentr Partners With Factored to Offer UK Landlords Instant Access to Rent Advancements For Property Upgrades and Maintenance
- What Caused The Starlink Global Outage?
- Figma’s AI App Building Tool, Figma Make, Now Available For Use
- Tells.co Shaking Up SMS Marketing: How Founders David Schlaegel and Justin Ramsey Are Doing It
Where Else Has The Data Ended Up?
The leaked content has already been linked to posts on forums such as 4Chan and X. One 4Chan thread called for a “hack and leak” campaign, and some users shared what they claimed were links to stolen photos. Others said they had found images that appeared to be ID documents. The accuracy of these claims has not been confirmed.
Someone also created a Google Map showing alleged locations of affected users. While names were not listed, the exposure of coordinates has raised further concerns. There have also been reports of the data being linked to people stationed at US Army bases.
A cybercrime forum reportedly offered a 55GB file containing selfies and ID pictures. It is unclear how widely the file has spread, but Tea has said it is taking the matter seriously and will continue to work with law enforcement.
What Are The Risks Of ID Verification Technology?
Tea required early users to upload selfies and government-issued ID documents to confirm their identity as women. This step was presented as a way to keep the app safe and exclusive, especially since it deals with personal reviews and dating-related content. While ID verification may help prevent fake accounts, it comes with clear risks when systems are not secure.
The breach exposed over 13,000 selfies and photos of ID cards, despite Tea’s claim that such content would be deleted shortly after review. The fact that this data was archived and then leaked is making people skeptical about how companies store such verification files, and if it’ll actually be removed.
The risk becomes bigger when ID checks are used with features like location tagging or direct messaging. Although Tea said no names were attached to the leaked data, the mix of photos, private chats, and coordinates posted on public forums could still allow others to make connections. Cybersecurity experts often warn that once this type of information escapes, it’s hard to fully remove or contain.
Tea is not the only app using ID checks, but the breach speaks to the ongoing conversation everyone is having on how necessary these systems are and whether they protect users as claimed. In many cases, companies use third-party tools to verify identities but do not explain how long the data is kept or who has access to it. Without clear policies, users often have to trust that their information is safe… a promise that Tea now struggles to keep.
