The security breach affecting Tea — a women-focused dating safety app — has taken a more alarming turn. New findings reveal a second data leak, this time involving a separate database reportedly holding 1.1 million private conversations between users.
Tea was designed to help women share reviews about men in a protected digital space, requiring users to verify their identity through a selfie and government-issued ID before gaining access. However, on Friday, a post surfaced on 4chan from an anonymous source who claimed the app was using an insecure Firebase storage bucket. This exposed sensitive uploads like ID cards, selfies, and images shared in comments.
The same user released a Python script capable of extracting the data — now totaling over 59GB — from the storage bucket, which has since been secured. Tea acknowledged the breach in a public statement, confirming it involved users who registered prior to February 2024. The compromised archive includes roughly 72,000 images — around 13,000 of them tied to account verification — and thousands more from public content such as comments and DMs.
The company explained that some verification selfies were retained due to requirements related to online abuse and cyberbullying investigations.
Following the initial leak, threat actors began distributing torrents of the data across hacking forums. BleepingComputer has verified that the compromised files include highly sensitive material like driver’s licenses, selfies, and media from direct messages.
To add to the growing concern, 404 Media has reported the discovery of another unsecured database containing over a million private user messages exchanged as recently as last week. These chats include deeply personal subjects such as discussions on relationships, infidelity, and abortions.
According to cybersecurity researcher Kasra Rahjerdi, who uncovered the second trove, the database was accessible to any user with their own Tea API key. This means sensitive details — including social handles, phone numbers, or other identifiable data — may now be traceable to individuals.
Making matters worse, someone reportedly built a platform similar to the controversial “FaceMash,” allowing visitors to rate exposed selfies from the breach — further violating users’ privacy.
In response, Tea says it has taken the compromised system offline and is working closely with cybersecurity experts and law enforcement. While they believe other parts of the system remain untouched, the investigation is ongoing.
The company has pledged to notify affected users and offer free identity protection services to those impacted. It also promised future updates as more details emerge and continues efforts to enhance the platform’s security.
