Tea app data breach: what happened and how to safeguard yourself after a dating advice platform data leak

Launched in 2023, the Tea app promised to be a dating safety net for women—a place to do background checks on men, “spill tea” and flag suspicious dates anonymously. Yet, in July 2025, this safety net tore apart when Tea suffered a few major data breaches. 

As a result, more than 72,000 images, including government IDs and selfies, along with a million private messages from the app were leaked online, starting a massive backlash and posing privacy risks to women who trusted the platform.

The Tea app data breach proved to be more than embarrassing. It has exposed users and the people mentioned in the messages, opening them to real-world risks of harassment, stalking, fraud, and retraumatization. It also sparked raging reactions from misogynist groups and led to several class-action lawsuits brought against the Tea app owner company. Yet, despite the app’s efforts to contain the crisis, the victims were left to grapple with the fallout.

Here’s how the Tea data breach unfolded, why it matters, and what you can do to protect your personal information online.

What is the Tea app?

Tea, or officially Tea Dating Advice, is a women-only dating safety platform that provides a range of tools for identifying and flagging potential dating partners, such as:

• Finding and verifying “green-flag” or “red-flag” men
• Doing background checks and criminal record checks
• Identifying potential catfish scammers and sex offenders
• Looking up if the man is married or in another relationship
• Sharing personal dating experiences and warnings in the women’s group chat 

The app was solo-founded in 2023 by Sean Cook, a Bay Area product developer who was appalled by his mother’s online dating experience with catfishers and men with a criminal background and decided to create a platform to make online dating safer for women. Since its launch, it has topped Apple’s App Store and enjoyed an explosive growth up to 6 million users and hundreds of thousands of followers on social media. 

The app has its predecessors, like Facebook’s Are We Dating The Same Guy? group or earlier platforms like Lulu and DontDateHimGirl, but it was the first one to reach such a scale and, also, such controversy. Positioned as an online “whisper network,” it was criticised for being a gossip engine generating unverified accusations and misrepresenting men, as well as for its exclusionary gender checks. The data breach that followed only fueled this backlash.

What we know about the Tea app data breach

Here’s how the Tea app data breach unfolded. 

The first breach: images and IDs exposed

On July 25, 2025, Tea confirmed its first security incident in a statement to 404 Media. Around 72,000 user-submitted images, including 13,000 selfies and government IDs used for user verification, in addition to 59,000 images uploaded in posts, comments, and direct messages, were leaked in what was called “a revenge attack” by the 4chan group. The breach was made possible via a misconfigured Firebase storage bucket that was left unprotected and opened for public access on the app’s side.

Within hours, this database access was exploited, bundled into torrents, and circulating on the 4chan platform popular with misogynist groups. 

Second breach: private messages leaked

Days later, Tea suffered another data breach in which over 1.1 million private messages were accessed and leaked online through weakly protected application programming interfaces (APIs). The poor security controls meant that any authenticated user could retrieve DMs using an API key.

Given the app’s nature, these messages included deeply personal conversations about adultery, abuse, abortions, and other sensitive topics. The leak also exposed people mentioned in these conversations who were not even Tea users. This amplified the harm and made hundreds, if not thousands, more people vulnerable to defamation, ungrounded accusations, online harassment, and fraud.

How the Tea app leaks spread online

The spread of the data leak was viral and relentless. Images first surfaced on 4chan, then quickly spread across X, TikTok, Telegram groups, and even clone apps.

Once in circulation, the stolen photos and private messages were weaponized against the very women Tea was meant to protect. Trolls created “games” and websites where men could rate leaked selfies, while metadata from photos was used to generate maps displaying more than 33,000 approximate user locations. Even without direct name attribution, these maps posed significant risks of stalking and harassment.

A couple of weeks after the Tea breach, another app surfaced, gender-flipping the idea and letting men post their reviews and images of women anonymously. Called TeaOnHer, the app was almost an identical copy of the original app and flourished for some time, capitalizing on the Tea breach backlash. But like Tea, it was riddled with security flaws. According to TechCrunch, TeaOnHer leaked usernames, messages, email addresses, selfies, and even government IDs of its roughly 53,000 users. Some of these files were accessible at public web addresses without authentication. Investigators also found admin credentials exposed on the server, further highlighting the developer’s negligence.

What data was exposed in the Tea app breach?

According to Tea’s official statement, only data belonging to users who registered with the platform before February 24, 2024 was exposed.

The data leaked in the breach was related to Tea’s user verification process that required government IDs, as well as to the private communication exchanged by users. Tea has since dropped their requirement to upload a national ID along with the verification selfie, but thousands of users were still affected. 

Collectively, the data exposed in the breach included:  

• Government IDs (driver’s licenses, passports).
• Verification selfies and profile photos.
• Uploaded images from posts and private chats.
• Over 1.1M direct messages.
• Photo metadata tied to approximate physical locations.
• Social media handles and phone numbers of people mentioned in the leaked DMs.

How Tea responded

In the wake of the breach, Tea promptly took down affected systems and disabled direct messaging within the platform. According to their investigation into the technical reasons behind the breach, only pre-February 2024 signups were affected, as the platform migrated to a “new fortified system” since then. 

Tea has also released an official statement detailing their response to the breach and what they’re doing now to protect their users. As the breach investigation is still active and involves external cybersecurity experts and the FBI, Tea has limited their comments but reassured that they’re working to identify all affected users and offer free identity protection services to them.

According to Tea, they’re “working to identify any users whose personal information was involved and will be offering free identity protection services to those individuals.”

User reactions and legal consequences 

Since the breach, users and commenters took to social media, expressing their anger, resentment, and frustration in thousands of posts. The Tea data breach exposed not only sensitive data but a broader disappointment with modern online dating practices and lack of trust and safety that permeates the dating scene.

Public backlash

The public infuriation was caused largely by the fact that Tea users were tricked to believe they’re in a safe space sharing their most vulnerable experiences and then had this trust abused by the app mishandling their information so carelessly. 

Jemma Davis, founder of security awareness firm Culture Gem, says that while these whisper network apps were created to address dating safety concerns, they “are not a solution. They create a new risk without fixing the original one.”

People also criticised the technical negligence of the Tea app creators. As one commenter put it, “unrelated to the societal effects of this app, keeping user’s IDs and geolocation data in a publicly accessible GCS bucket is absurdly bad security.”

Multiple class-action lawsuits in California

Public anger spilled into multiple class-action lawsuits brought against the Tea app owner company in California. At the moment, it’s known about at least 10 women who filed them. 

Plaintiffs argue that Tea failed to protect sensitive data and misled users by claiming verification photos would be deleted after user identity check. Legal experts also suggest that lawsuits may focus on negligence, privacy violations, and failure to safeguard consumer data. 

If successful, the lawsuits may set precedents for how “safety” apps are regulated and how they can be held accountable in case of data mishandling.

Why the Tea app breach matters: risks for users

While the Tea app may prove effective in helping women avoid Tinder scammers or military romance scams, its data breach may have far-reaching consequences for both its affected users and the men exposed in anonymous conversations on the platform:

• Stalking and harassment: stalkers and ex-partners can exploit location metadata to locate victims.
  
• Doxxing and reputational harm: personal details are already reposted and ridiculed across the internet.
  
• Identity theft and fraud: government IDs and selfies can be exploited to create fake accounts or open loans.
  
• Psychological harm: Survivors of abuse may face retraumatization and the collapse of trust, while affected users in general are going through emotional distress.
  
• Broader implications for whisper networks: what began as a platform for empowering women can turn into a public archive of unverified claims and misinformation as well as a tool for mob harassment and weaponization of survivor stories.

What to do if you use(d) the Tea app

If you registered with the Tea app after February 2024, your data should not be affected. However, if you believe your personal details have been leaked and the Tea representatives have not yet contacted you with any kind of remediation plan, take the following steps to protect your identity now: 

• Contact Tea Dating Advice at [email protected] to let them know your profile has been affected.
  
• Use free data leak exposure detection services such as Have I Been Pwned or dark web monitoring tools to check if your personal details are circulating online.
  
• Stay on guard when it comes to phishing messages and impersonation attempts.
  
• Watch your financial accounts and let your bank or credit institution know your national IDs might be exploited.
  
• Consider joining a class-action lawsuit.
  
• Seek emotional support through therapy, survivor groups, or domestic violence hotlines if you face harassment, bullying, or stalking.
  
• Reevaluate your online sharing practices, consider deleting your old accounts and  limiting personal information you share online and within apps.

Protecting your digital privacy beyond Tea: reduce your personal data exposure 

Tea’s scandal is just one reminder of vulnerable apps that are part of the global digital ecosystem. Even beyond Tea, risks always exist as data brokers and people-search websites are looking to collect as much of your information as possible, including your address, phone number, and family connections, and aggregate it for sale or just casual lookups by strangers. 

Onerep helps minimize your data exposure by detecting and removing it from 316 data broker and people-search sites, keeping your information away from the public eye and continuing to monitor the internet for your data reappearance. 

FAQs

Is the Tea app safe to use now?

Tea has suspended some of its services, and the investigation into the data breach is not yet over as of September 2025. While the app is operational, it’s advised to only use the app at your own discretion.

Was user data stolen in the Tea app data breach?

Yes, national IDs, selfies, private messages, and location metadata were accessed and leaked publicly online.

What kind of Tea users’ data was leaked?

Tea users’ government IDs such as driver’s licenses and passports, selfies, images uploaded in conversations, as well as private messages featuring occasional phone numbers and social media handles were exposed in the breach.

How can I check if my data was affected?

If you registered with the Tea app after February 2024, your data should be intact. You can also use breach-checking services like Have I Been Pwned for traces of your leaked data and contact Tea Dating Advice directly to check if you’ve been affected.