A second major security flaw in the women’s safety-focused dating app Tea has led to the exposure of highly sensitive user data. This includes private messages discussing abortions, infidelity, and identifying information such as phone numbers. The new breach, verified by 404 Media, reveals that a separate database remained accessible until last week. This finding contradicts earlier claims by the company that the incident involved only outdated data. The new vulnerability has significantly intensified privacy concerns for the app’s reported 1.6 million users.
Private Conversations and Personal Data Left Unprotected
Security researcher Kasra Rahjerdi discovered the breach and provided 404 Media with a dataset containing more than 1.1 million messages. These messages date from early 2023 through the previous week. The exposed content included intimate conversations between users. Many of these users shared real names, contact information, and social media handles. Some disclosed abortions, discovered cheating partners, or shared private details in efforts to confirm relationships with the same individual.
The breach undermines Tea’s core promise of anonymity and safety. While users are encouraged to adopt pseudonyms, 404 Media was able to link some usernames to real people using publicly available data. The nature of the messages, which often involve identifying others, adds to the risk posed to users’ privacy and personal safety. This incident illustrates how even platforms meant to protect vulnerable users can inflict harm when basic security measures fail.
Rahjerdi also discovered that anyone in possession of a user’s API key could access the newer message database. This method allowed the retrieval of active user data and remained possible until late last week. Among the vulnerabilities identified was the ability to send push notifications to all Tea users. This capability further raised the severity of the issue. Tea has since confirmed the breach and says it has contacted law enforcement and is now working with outside cybersecurity experts.
Previous Breach Involved Images and ID Documents
This recent exposure follows an earlier incident in which an unsecured Firebase instance revealed thousands of user selfies along with images of government-issued identification. The company originally claimed that this breach involved only legacy data and did not affect current user information. However, the second breach suggests that the scope of the exposure was broader and more recent, involving active user communications and personal activity.
To verify the leaked data, 404 Media attempted to register new accounts using usernames from the exposed dataset. These attempts failed. This indicates that the usernames were already in use and confirms that the messages came from real accounts. Conversations included detailed exchanges in which women tried to confirm suspicions of infidelity. Some messages mentioned car models, phone numbers, and other personally identifying information in the process.
The leaked material has since circulated online. Portions of it were previously posted on platforms such as 4chan, where users created downloadable files of Tea user images. Some even launched a website modeled after the controversial Facemash project. This website ranked users’ selfies, which had originally been submitted for gender verification, based on physical appearance. The site used images from the breached database and reportedly received tens of thousands of rankings.
Tea Faces Scrutiny Over Security and User Trust
Tea promotes itself as a platform for women to share information about men in the interest of safety and accountability in the dating world. It requires new users to upload a selfie for verification and has seen rapid growth, recently climbing to the top of the App Store charts. The two major breaches now cast serious doubt on the app’s ability to safeguard its users and deliver on its mission.
In a statement to 404 Media, Tea responded to the incident by saying it is working quickly to contain the situation. The company has launched a full investigation with the help of third-party cybersecurity firms. It has also contacted law enforcement and is cooperating with their inquiries. Tea stated that it is still in the early stages of understanding the full extent of the breach.
This situation highlights how apps that deal with deeply personal or vulnerable interactions can pose serious risks if data is not protected. In the case of Tea, the exposure of conversations involving abortion, infidelity, and real-world identities raises ethical and safety concerns that go far beyond ordinary privacy issues. As the investigation continues, this case stands as a stark reminder of what can happen when platforms collect highly sensitive data without putting strong safeguards in place.