Last modified: 29 July, 2025
The Tea app data breach is one of the most significant privacy failures among fast-growing social platforms in 2025. It is also the most preventable data breach of 2025 (so far). Here's what happened:
Tea is a women-only dating safety app that lets users anonymously share information about men they have dated. To use the app, women had to verify their identity by submitting selfies and, until 2023, a photo of a government-issued ID. These steps were meant to ensure the platform remained secure and exclusive to women
Approximately 72,000 images were exposed, including 13,000 selfies and photo identification images submitted for account verification, and about 59,000 images from posts, comments, and direct messages.
Only users who registered before February 2024 were impacted.
No phone numbers, email addresses, or recent registration data was accessed, according to Tea.
Hackers accessed a “legacy” data storage system (an old, unprotected Firebase or similar cloud storage bucket) that contained images and data from before February 2024.
This was not a sophisticated cyberattack. Instead, reports suggest users from sites like 4chan discovered a publicly accessible URL leading to the old image storage system. No advanced hacking techniques were required—the files and URLs simply hadn’t been adequately secured or decommissioned as the app grew and migrated to more secure systems.
Tea claims it moved all newer user data to a more secure system in February 2024 and that only this old database remained improperly protected. After the breach, the company took the old storage system offline and began cooperating with cybersecurity professionals.
Some of the leaked images and verification IDs include embedded location data, raising additional safety and privacy concerns. The breach has resulted in online harassment, with some of the leaked photos used in harmful rating sites and maps.
Modern tech startups often adopt the principle of build fast and break things. While this may work on the surface, you should not forgot it may cost you a lot in the long run.
With the rise of AI and vibe coded softwares, it is more important that ever to secure your apps.
That said, it not that hard. Setting up a network firewall, limiting access to your storage and setting proper RLS in your database is a good start. Then, conduct bi-weekly security audits (hire professionals to help you out if you can). Keep your softwares updated, especially if you see a security patch. While this won't prevent you from sophisticated attack, you will be protected from these petty breaches and save yourself from embarrassment.
Thank you for reading this far. We, at Aloft Studio, take security very seriously. Every app and website we build for our clients are meticulously tested for security issues. We do regular security audits as well. We encourage you to do the same.