Women dating safety app Tea data leak exposes thousands of women's IDs and selfies

Tea, a women-only dating safety app has suffered a massive data leak that exposed 72,000 images belonging to its users, including sensitive verification selfies and government-issued identification documents. Users on the 4chan forum reported the improperly secured Firebase database that required no authentication to access and exposed the data.

Tea functions as a virtual whisper network for women, allowing them to anonymously upload photos of men they have dated and leave reviews describing them as "red flags" or "green flags." The platform claims to have over 4 million users and requires new users to submit verification selfies and government-issued IDs to prove they are women.

The leak was caused by an improperly secured Firebase database hosted on Google's mobile app development platform. The database was accessible from the internet and did not require authentication to access. Users on the 4chan forum reported the exposed database and shared links to access the data. The compromised information included:

• 13,000 verification images (selfies and government-issued ID photos)
• 59,000 images from user posts, comments, and direct messages
• Personal information visible on identification documents, including names, addresses, and driver's license numbers
• Images from within the app's messaging and posting features

The breach affects users who signed up before February 2024. The number of affected individuals has not been disclosed by the company. Tea claims the exposed data was stored in a "legacy data system" containing information over two years old. 

The exposed database was locked down within hours of the breach being reported, with the offending links now returning "Permission denied" errors. Unfortunately, the data is already exfiltrated and reportedly being shared on social media platforms including 4chan and Twitter.

Update - as of 28th of July 2025, a second data leak at Tea dating app apparently exposes more recent user data than initially reported, including direct messages containing sensitive personal information like phone numbers and private discussions, contradicting the company's claims that only legacy data over two years old was affected. 

404 Media reports that an additional database was found containing 1.1 million private messages sent between users on the Tea platform.

This appears to be a separate incident, which means there are more security vulnerabilities at the women's dating safety platform. A Tea spokesperson reported to Business Insider that "recently learned that some direct messages (DMs) were accessed as part of the initial incident. Out of an abundance of caution, we have taken the affected system offline,"