On July 25, 2025, the women-only dating safety app Tea, which had recently skyrocketed to the top of the Apple App Store charts, suffered a massive data breach that exposed the personal information of thousands of its users.
According to reports from NBC News, hackers accessed a database containing approximately 72,000 images, including 13,000 selfies and government-issued IDs used for user verification, as well as 59,000 images shared within the app.
This incident, sparked by a “hack and leak” campaign initiated on the controversial message board 4chan, has raised serious concerns about online privacy, data security, and the risks associated with identity verification systems.
The Breach: How It Happened
The breach came to light following a 4chan thread on Thursday evening, July 24, 2025, where users, angered by the app’s premise, called for a coordinated “hack and leak” campaign.
@widabid CRITICAL SECURITY BREACH — TEA APP EXPOSES USER IDENTIFICATION DATA A severe privacy violation has occurred involving the Tea App, a social application that handled sensitive user identity verification. All user-submitted driver’s licenses and facial verification images were uploaded to an open, publicly accessible Firebase storage bucket, with no authentication or access controls in place. The exposed files include: • Government-issued IDs (driver’s licenses, passports, etc.) • Full-face photos submitted for identity verification • Timestamped uploads linked to user accounts This data was retrievable by anyone with the public URL prefix: https://firebasestorage.googleapis.com/v0/b/tea-the-app.appspot.com/o/attachments%2F ???????????? • • • • • • • • • #teaapp #databreach #doxxed #firebasefail #identitytheft #infosec #techfail #cybersecurity #leakedinfo #facepic #idleak #appsecurity #tiktokexposed #startuplife #developerfail #clowntech #gdprviolation #ccpaviolation #socialmediafail #anonymousapp #verificationfail #digitalprivacy #hackernews #infosecleak #publicdata #cyberleak #doxxing #privacybreach #devincompetence #exposedonline ? original sound – WiDaBid
By Friday morning, a 4chan user posted a link allegedly allowing others to download the stolen database, which included selfies, driver’s licenses, and other personal images.
These images were subsequently shared on 4chan and X, amplifying the exposure of users’ private data.
According to Tea’s spokesperson, the breach involved an unprotected database hosted on Google’s Firebase platform, which contained data stored to comply with law enforcement requirements related to cyberbullying prevention.
The company stated that no current user information was compromised, but posts on X and reports from 404 Media suggested that some of the leaked data included images from as recent as 2025, casting doubt on the claim that only older data was affected.
The lack of authentication for the database—described by a 4chan user as a “public bucket”—meant that the data was essentially accessible to anyone with the link, highlighting a critical failure in Tea’s security practices.
This vulnerability not only exposed users’ personal information but also fueled concerns about the app’s handling of sensitive data.
The Fallout: Privacy and Trust Betrayed
The breach has sparked widespread outrage and concern among Tea’s user base, many of whom trusted the app to safeguard their personal information.
Social media platforms, including X, buzzed with reactions, with users expressing shock and disappointment.
One X post ominously predicted the breach just days earlier, stating, “How long til there is a data leak? I’m giving it 1 month,” underscoring the skepticism some had about the app’s security.
The incident has also reignited debates about the risks of online identity verification.
Tea’s requirement for users to submit selfies and IDs was intended to ensure a women-only space, but the breach demonstrates how such measures can backfire when security is inadequate.
As one commenter on X noted, “This is one of the worst-case scenarios people talk about when discussing age and identity verification.”
Moreover, the breach has amplified criticism of the app’s concept.
While Tea aimed to empower women by providing a platform to share dating experiences, it drew ire from some men who felt it encouraged doxxing or misrepresentation.
The 4chan campaign was reportedly motivated by this backlash, raising questions about the intersection of online activism, misogyny, and cybersecurity.
A retaliatory men-only app, Teaborn, briefly emerged but was quickly removed after backlash over concerns about revenge p0rn.
What is the Tea App?
Tea, created by Sean Cook in 2022, was designed as a “virtual whisper network” for women to share information about men they encounter in the dating world.
The app allows users to anonymously assign “red flags” or “green flags” to men, post comments about their experiences, and conduct background checks or reverse-image searches to identify potential catfishing.
Inspired by Cook’s mother’s troubling experiences with online dating, Tea aimed to provide a safe space for women to protect one another by sharing insights about potential partners.
With 4 million users and nearly a million new signups in the days leading up to the breach, the app’s viral success highlighted its appeal but also made it a target.
To join Tea, users were required to submit selfies and photo IDs for verification, which the app claimed were securely processed and deleted after review.
However, the breach revealed that this was not entirely the case, as hackers accessed a “legacy data system” containing sensitive information from over two years ago.