Tea app hack: user data stolen from women's dating safety app

A viral app marketed as a safe space for women to share information about men they date has been hit by a major data hack, with tens of thousands of women's photos and IDs leaked online.

The US-based app, which has 1.6 million users, confirmed "unauthorised access" to 72,000 images submitted by women, including 13,000 selfies and government-issued IDs uploaded as proof of identification.

The breach was first reported by 404 Media, which also reported a second security issue had enabled access to more than 1.1 million direct messages from users, spanning from early 2023 to last week. Some of the messages contained personal information that made some users' identities "easy to identify", said the news outlet.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

'Stoking gender divisions'

Tea was designed to allow women to discuss their dating experiences anonymously, run background checks, search for criminal records and reverse image search for photos in the hope of spotting "catfishers".

Before the data breach, Tea reported a "massive surge in growth" in recent weeks, as the app gained attention through videos and discussions on social media about dating and gender dynamics. The app was listed as the "top free app in Apple's download charts", said The New York Times, "and was also highly ranked in the Google Play store".

Its viral popularity "tapped into a larger face-off over the responsibility of platforms that women say can help protect them from dating untrustworthy or violent men". Informal whisper networks, such as "Are We Dating the Same Guy?" groups, have spread "widely" on platforms such as Facebook. "But such groups have increasingly drawn accusations of stoking gender divisions, as well as claims from men who say the groups have defamed them or invaded their privacy."

Critics of the app, "including some users on 4chan, an anonymous message board known for spreading hateful content, called for the site to be hacked", said the paper. On Friday, "4chan users claimed" to have found a "database related to the app that included photos of users' IDs and other information", said CNN. The data then appeared to begin circulating online.

Users 'at risk'

According to Tea's privacy policy, images uploaded as verification were to be deleted shortly after users are verified, but the hacked images had not been deleted. Tea said in a statement that the data had been stored "in compliance with law enforcement requirements related to cyberbullying prevention".

"It's hard to overstate how sensitive this data is and how it could put Tea's users at risk if it fell into the wrong hands," said 404Media, which said it was easy to find the real-world identities of some users, given the nature of the leaked data and messages. "Users could be easily found via their social media handles, phone numbers, and real names that they shared in these chats," said the site.

Messages often contained accusations against named individuals, further escalating the risk. In messages reviewed by 404 Media, some discuss discovering their husbands on the app, while others feature "women discussing their abortions".

Within hours of the breach, said The New York Times, a now-deleted 4chan thread shared a custom Google Map that "purported to use data from the leak to tie the images to locations" of women registered on the app.