Tea Dating Advice, an app that allows women to perform background checks on men they are dating or interested in, faces a potential lawsuit after experiencing a data breach that leaked sensitive data, including private messages.
Launched in 2023, the application provides crowdsourced information about potential male dates, including reverse image search to prevent catfishing and ensure women’s safety when meeting new love interests. It also claims to donate 10% of its profits to the National Domestic Violence Hotline.
Attracting up to 4 million users since its launch, women could post photos, names, and anonymous reviews, and mark men as “red flag” or “green flag” to inform others about their current or potential male suitors’ behavior. Besides comparing notes with other women, they could also search for criminal backgrounds and sex offender histories.
However, some men have allegedly been accused of predatory behavior, with many allegations remaining unproven and unchallenged. Some are even afraid of being doxxed, cyberbullied, or misrepresented, without an opportunity to explain themselves, with potential disastrous impacts, such as losing their jobs.
Following the Tea App breach, fears over digital privacy and the risks of online naming and shaming have resurfaced. Meanwhile, the company asserts that the information was stored in accordance with the law.
Tea App disables private messages after data breach
Upon learning of the data breach, San Francisco-based Tea Dating Advice Inc. took the affected systems offline, specifically private messages, and launched an investigation with external cybersecurity experts and the FBI to determine the scope of the incident.
“As part of our ongoing investigation, we have recently learned that some direct messages (DMs) were accessed as part of the initial incident. For this reason our DM functionality is down,” the company stated.
The probe determined that the data breach did not affect other parts of the company’s infrastructure. Nevertheless, the company has implemented additional security measures to bolster its cyber defenses, is working to identify the impacted individuals, and has offered free identity theft protection.
“We are working around the clock with internal security teams and third-party experts to secure our systems,” it said. “We are taking all necessary measures to strengthen our security posture and ensure that no further data is exposed.”
While Tea Dating Advice has not disclosed the total number of victims, 404 Media, which initially reported the data breach, assessed that over 1.1 million users’ private messages were leaked.
On July 25, the Tea App also determined that the data breach affected a legacy storage system with information collected before February 2024. The company explained that a legacy storage system used for early development was not migrated to its new secure system, allowing a threat actor to access the stored data.
“The breach highlights the importance of stress-testing and auditing security defences and teams,” said Kevin Marriott, Senior Manager of Cyber and Head of SecOps at Immersive. “Such exercises would have quickly identified weaknesses within legacy systems and shown that certain security assurances were not being upheld. Hands-on, measurable training programmes tailored to specific individuals, teams, and departments are essential in helping employees build the cyber skills required to prevent easily avoidable breaches.”
Meanwhile, the leaked data included 72,000 images, including 13,000 selfies submitted for account verification, and 59,000 pictures included in public posts, comments, and private messages. Although the app promises to delete selfies after reviewing user accounts, the leak suggests otherwise.
However, the company explained that the selfies were not deleted to comply with the law on cyberbullying. The data breach also leaked government-issued identity documents, also used for account verification.
The private messages also contained additional information that could be used to identify users. Personal experiences disclosed in the private messages could also be damaging to the data breach victims.
“This information was stored in accordance with law enforcement requirements related to cyber-bullying investigations,” it said.
Nevertheless, the data breach did not leak phone numbers or email addresses, thus minimizing the risk of targeted phishing attacks, and only affected people who signed up before February 2024.
However, the stolen data was circulated on the X microblogging platform and uploaded on torrenting sites, potentially resulting in widespread access.
“It’s incredibly disheartening to see an app like Tea, originally built as a safe platform for women and non-binary individuals, is now at the center of such a serious breach,” stated Randolph Barr, CISO at Cequence. “The leaked images, government-issued IDs, and private messages completely undermine the trust its community placed in the platform.”
Tea App faces numerous lawsuits after data breach
Tea Dating Advice is facing nearly a dozen lawsuits stemming from the recent data breach that leaked its users’ photos and personal information.
One class member, Griselda Reyes, alleges that the app “failed to properly secure and safeguard” the personal information it stored within its information network.
Her legal team also claims that the data breach exposes the victims to “increased risk of fraud and identity theft,” and that the app promised to delete the selfies but failed to do so.
“Reverse” cyberbullying hits women’s platform Tea App
The breach surfaced after an aggressive “hack and leak” campaign by disgruntled people on 4chan, aiming to expose Tea Dating Advice users, shortly after it became the top free app on Apple’s App Store.
Subsequently, a 4chan user posted a link for others to download the leaked 59 GB of data for free. They explained that the data breach stemmed from an unsecured Firebase storage bucket, highlighting the risk of cloud misconfiguration.
Participants allegedly ranked female Tea App users based on their looks, used derogatory words such as “whale,” attached their social media handles, and mapped their purported geographic locations, although without names.
They also leaked personal information about their cheating and abortion history in a second data breach, in a seemingly reverse-cyberbullying campaign intended to expose Tea App users.
Some have even floated the idea of creating a men-only dating advice app similar to Tea App, although the idea flopped after some men started posting revenge porn.
“What’s especially troubling is that Tea claimed some data retention was required to support law enforcement and prevent cyberbullying,” Barr added. “Ironically, this very data that is now publicly leaked and can be weaponized to cause cyberbullying, doxxing, and harassment.”
