The privacy crisis surrounding the women-only Tea app has escalated, with a second major data leak exposing more sensitive user information. What began as a breach of user-verification images has now extended into the release of over 1.1 million private messages—many containing highly personal conversations—raising serious concerns around data security and user protection.
On Friday, an anonymous post on 4chan revealed that Tea had used an unsecured Firebase storage bucket. This cloud storage reportedly held government-issued IDs, selfies used for verification, and other shared media. The individual shared a Python script that allowed unauthorized users to extract the files. While the storage bucket has since been secured, the damage had already been done.
Tea, which describes itself as a platform for women to review men in the context of dating safety, confirmed that the breach involves legacy data from users who signed up before February 2024. In its public statement, the company said:
“A legacy data storage system was compromised, resulting in unauthorized access to a dataset from prior to February 2024. This dataset includes approximately 72,000 images, including approximately 13,000 selfies and photo identification submitted by users during account verification and approximately 59,000 images publicly viewable in the app from posts, comments and direct messages.”
Notably, the company explained that selfies and IDs were retained in compliance with law enforcement requests tied to cyberbullying investigations, rather than deleted as users may have expected.
The situation worsened when torrents of the leaked images—totaling over 59 GB—began circulating on hacking forums. These included sensitive images such as driver’s licenses, account verification selfies, and attachments from user interactions.
Soon after, 404 Media reported the discovery of a second unsecured database, far more invasive than the first. This new trove contains around 1.1 million private messages exchanged between users, dating from 2023 up to the previous week. These messages reportedly include intimate discussions about topics such as abortions, infidelity, and relationship abuse.
Kasra Rahjerdi, the researcher who found the second breach, told 404 Media that any Tea user could access the stored message data using their own API key. This means the exposed information was not just leaked—it was vulnerable to in-app exploitation by ordinary users.
According to the investigation, some messages contained identifiable personal information, such as phone numbers and social media links, making it possible to trace users directly. In another alarming development, someone reportedly created a website styled after the controversial “facesmash” concept, where leaked selfies are rated by site visitors.
Tea has said it is working with third-party cybersecurity experts to mitigate the impact of both breaches. Law enforcement has also been notified and is involved in the investigation.
With both data leaks now in the public domain—containing government IDs, facial images, and deeply personal conversations—the incident has turned what was intended to be a safe, female-focused platform into a significant cybersecurity liability.
