Tea App Spill: How a Women's Safety App Became a Privacy Nightmare

Introduction

The Tea app, launched in 2023 by Sean Cook, is a women-only platform designed to enhance dating safety by allowing users to share and access information about men, labeling them as "red flags" or "green flags." Marketed as a "sisterhood" for women, the app surged to the top of the U.S. Apple App Store in July 2025, boasting over 1.6 million users. However, its rapid rise was overshadowed by a significant data breach that exposed sensitive user information, leading to widespread online harassment and a class action lawsuit. This report details the events of the breach, the hacker’s actions, the misuse of leaked data, and the broader implications.

Timeline of the Breach

The data breach was first reported on July 25, 2025, when users on 4chan, a notorious online platform, claimed to have accessed an unsecured database hosted on Google’s Firebase platform. The breach was confirmed by Tea’s spokesperson the following day, July 26, 2025. A second breach was discovered shortly after, exposing additional sensitive data. The timeline of key events is as follows:

Details of the Data Breach

The Tea app required users to verify their identity with selfies and government-issued IDs, which were supposed to be deleted after review. However, the breach revealed significant security lapses:

• First Breach: Hackers accessed an unsecured Firebase storage bucket containing 72,000 images, including 13,000 selfies and photo IDs used for verification, and 59,000 images from app posts, comments, and direct messages. The data was from users who signed up before February 2024 and was stored in a legacy system without password protection or encryption.
• Second Breach: A separate vulnerability exposed over 1.1 million private messages sent between February 2023 and July 2025. These messages included sensitive discussions about adultery, infidelity, abortions, phone numbers, and meeting locations, significantly increasing the privacy risks for users.

The company stated that no email addresses or phone numbers were exposed in the first leak, but the second breach did include phone numbers, amplifying the potential for misuse.

Hacker Actions and Mockery

The hackers exploited the unsecured database and shared the stolen data on 4chan, a platform known for its lax moderation and history with hacker collectives like Anonymous. The following actions were taken to mock and exploit the breach:

• Teaspill Website: 4chan users created a now-deleted website called "Teaspill," which allowed visitors to view and rate women based on their leaked selfies. This site turned the stolen data into a malicious game, further violating user privacy.
• Location Mapping: Using metadata embedded in the leaked images, a user created an unverified map plotting the locations of Tea users, escalating the breach into a tool for potential real-world harassment.
• Public Sharing: On 4chan, a user posted a Python script that enabled others to download the exposed data, with a provocative thread titled “DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!” This encouraged widespread dissemination of the stolen information.

These actions not only mocked the app’s purpose but also turned a platform intended for women’s safety into a source of public humiliation and harassment.

Impact on Users and Data Abuse

The breach had severe consequences for Tea’s users, particularly given the app’s promise of anonymity and safety:

• Exposed Data: The leaked data included 13,000 selfies and photo IDs, such as driver’s licenses, and 59,000 images from app interactions. The second breach exposed 1.1 million private messages, revealing sensitive personal details.
• Online Harassment: The stolen data was weaponized for online harassment. The "Teaspill" website allowed users to rate women based on their appearance, while the location map raised concerns about physical safety. Social media posts on platforms like X highlighted the rapid spread of the data, with one user warning, “If any of you guys have this app installed, please delete, it had data breached today and a lot of people's personal information has been posted on by 4chan users.”
• Potential Risks: Cybersecurity experts, such as Rachel Tobac of SocialProof Security, warned that the leaked selfies and IDs could be used for identity theft, fraud, facial recognition spoofing, or creating deepfakes. The inclusion of phone numbers in the second breach heightened these risks.
• Affected Users: The breach impacted users who signed up before February 2024, affecting an estimated 1.6 million users. While Tea stated that users did not need to change passwords or delete accounts, the exposure of sensitive data led to significant distrust.

Response from Tea

Tea’s response to the breach included the following actions:

• Confirmation and Investigation: On July 26, 2025, Tea confirmed the breach and launched a full investigation with third-party cybersecurity experts.
• System Shutdown: The affected legacy data storage system was taken offline, and direct messaging was disabled indefinitely after the second breach was discovered.
• Public Statement: Tea issued statements emphasizing that protecting user privacy was their “highest priority” and that no additional user data was believed to be affected beyond the reported leaks.
• Legal Action: A class action lawsuit was filed on July 29, 2025, by user Griselda Reyes, representing affected users. The lawsuit alleges negligence in data security practices, with expectations of further legal action.

Broader Implications and Controversy

The Tea app’s premise—allowing women to anonymously review men—has been polarizing. Supporters view it as a vital tool for women’s safety, enabling them to share warnings about potentially dangerous individuals. Critics, however, argue it promotes defamation and violates men’s privacy, with some calling it a “gossip cesspool.” The breach intensified these debates, highlighting the risks of collecting sensitive personal data without robust security measures.

• Cybersecurity Criticism: Experts like Ted Miracco, CEO of Approov, criticized Tea for lacking basic cybersecurity practices, such as encryption and secure storage. The unsecured Firebase database was described as a “major security failure” rather than a sophisticated hack.
• Privacy Concerns: The breach raised questions about the safety of sharing selfies and IDs for identity verification. Rachel Tobac noted that such data, when combined, could be used to hack bank accounts or other systems, recommending that users freeze their credit and use data removal tools.
• Social Media Reaction: Posts on X reflected public outrage and concern, with one user stating, “Insane how fast ‘safe spaces’ can flip,” highlighting the irony of a safety-focused app becoming a source of vulnerability.

Recommendations for Users

Cybersecurity experts have provided guidance for affected users:

Conclusion

The Tea app data breach of July 2025 exposed critical vulnerabilities in a platform designed to protect women, instead leaving users vulnerable to harassment and potential identity theft. The incident underscores the importance of robust cybersecurity practices, especially for apps handling sensitive personal data. As the class action lawsuit progresses and Tea works to restore trust, the breach serves as a cautionary tale about the risks of online platforms promising safety without adequate protections.

Sources

• NBC News
• Wikipedia: Tea (app)
• 404 Media
• The New York Times
• CNN
• Business Insider
• [Reuters](https://www.reuters.com/sustainability/boards-policy-regulation/womens-dating-app-tea-reports-72000-images-stolen