A massive security breach at Tea, the women's dating safety app that recently topped Apple's App Store charts, has exposed approximately 72,000 user images—including selfies and driver's licenses—to malicious actors who subsequently shared the sensitive data on anonymous forums.
The breach, discovered this week, stemmed from an improperly secured Firebase database (Google's mobile app development platform) that required no authentication to access.
4chan users exploited this vulnerability, downloading thousands of personal photos and identification documents before sharing them online with posts reading "DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!"
According to Tea's official statement, the compromised data included 13,000 verification images (selfies and ID photos) and 59,000 images from user posts and direct messages. The company emphasised that the exposed files were stored in a "legacy data system" containing information over two years old, claiming current user data remains unaffected.
404 Media noted that they have verified the breach by decompiling Tea's Android app code, confirming the exposed Firebase storage bucket URL matched the one circulating on 4chan. The database contained "raw and uncensored" images with consistent file naming patterns, and multiple users created automated scripts to mass-download personal information.
 |
| A post on a related thread from 4chan. |
This incident highlights critical risks in identity verification systems. Tea requires users to submit selfies and government-issued IDs to verify they're women—a process designed to maintain the app's safety-focused community of 1.6 million users.
The breach raises serious questions about online identity verification practices across the tech industry. While Tea's privacy policy acknowledges that "no security measures are impenetrable," the Firebase misconfiguration represents a fundamental security failure that left users' most sensitive data completely exposed.
What Users Should Do
Tea users should immediately check if their photos appear in leaked datasets and consider identity monitoring services. The incident underscores why users should carefully evaluate apps requesting sensitive verification documents, especially newer platforms with limited security track records.
Tea has launched a full investigation but has not yet responded to requests for additional comment about when the vulnerability will be fully addressed.