Security vulnerabilities in the Tea app, which promotes safer dating for women, have compromised the private chats and personal data of tens of thousands of users. Following its rise to the top of the App Store, the app claimed to have approximately four million active users. However, two significant breaches have raised serious concerns about user privacy.
The Tea app allows female users to flag men’s profiles with various “red flags,” including behaviors such as ghosting and being in existing relationships. It also provides a reverse image search feature to identify men behind those profiles. Despite its intention to create a safer dating experience, the app has faced criticism regarding privacy practices, particularly from male users who feel unfairly linked to their social media accounts.
The first breach was reported by 404 Media, which revealed that users on 4chan had discovered an exposed database containing personal data, including selfies and images of driver’s licenses used for identity verification. According to screenshots and posts reviewed by 404 Media, individuals were sharing this sensitive information online. In a statement, Tea acknowledged the breach affected some direct messages but claimed that the data was from two years ago. This assertion raised eyebrows since the developer previously stated that identity documents would be deleted after verification.
However, the situation escalated further. A follow-up report from 404 Media uncovered that hackers had accessed private messages discussing topics such as abortions and cheating partners, with data as recent as one week ago. An independent security researcher confirmed the existence of a second breach that impacted a different database. This breach allowed unauthorized access to user messages, contradicting Tea’s initial claims regarding the age of the compromised data.
The researcher also indicated that it was possible to send push notifications to all of Tea’s users, raising further concerns about security. While chats were associated with usernames rather than real names, the content often made it easy to identify account holders. Female users frequently shared social media links, which facilitated the identification of male users accused of misconduct.
Reports suggest that over 70,000 images have been exposed, but this number may only represent a fraction of the total, considering that the company had approximately 1.6 million users prior to the first breach being reported.
The implications of these security failures are troubling, particularly for an app that positions itself as a protector of women in the dating scene. Essential security measures, such as end-to-end encryption for private chats and the non-retention of identity verification documents, were evidently not implemented. This lapse in data protection is especially concerning given the app’s focus on sensitive personal information.
The timing of these breaches is notable, occurring during a week when UK law mandated that tech companies provide the government with backdoor access to private messages. Such legislation raises broader questions about user privacy and data security in the digital age.
In light of these events, users of the Tea app are left to reconsider the safety of sharing personal information in a platform designed to promote safer dating experiences. As the app navigates the fallout from these security breaches, the need for robust data protection practices has never been more urgent.
