The Tea, a dating safety app that surged to the #1 position on Apple’s App Store in July 2025, suffered a catastrophic data breach, exposing 72,000 user images, including government-issued IDs, selfies, and private messages. The breach was discovered and exploited by 4chan users on July 25, 2025, revealing that the app’s Firebase database was completely unsecured, lacking basic authentication protocols.
The Tea App: Background and Concept
App Overview
Tea Dating Advice is a women-only mobile application that allows users to share information about men they’ve dated or encountered anonymously. Founded in November 2022 by Sean Cook, a former Salesforce and Shutterfly executive, the app was created after Cook witnessed his mother’s traumatic online dating experiences, including being catfished and unknowingly interacting with men who had criminal records.
The app markets itself as “more than an app; it’s a sisterhood” and claims to provide women with tools to “date safely in a world that often overlooks their protection”. With over 4 million users, it has recently experienced explosive growth, gaining nearly 900,000 new signups in a single week.
Key Features
Tea operates as a “Yelp for men,” offering several core functionalities:
- Anonymous Reviews: Women can post photos and reviews of men, marking them as “red flags” or “green flags”
- Background Checks: Criminal record searches and sex offender registry lookups
- Reverse Image Search: AI-powered tools to detect catfishing attempts
- Phone Number Lookup: Checking for hidden marriages or relationships
- Verification System: Users must submit selfies and government IDs to verify they are women
The app requires a $14.99 monthly subscription for premium features and donates 10% of profits to the National Domestic Violence Hotline.
The 4chan Data Breach: Technical Details
Discovery and Exploitation
On July 25, 2025, users on the anonymous imageboard 4chan discovered that Tea’s backend database was completely unsecured. The vulnerability stemmed from a misconfigured Firebase database hosted on Google’s mobile app development platform.
The initial 4chan post that exposed the breach read: “Yes, if you sent Tea App your face and driver’s license, they doxxed you publicly! No authentication, no nothing. It’s a public bucket. DRIVERS’ LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!“
Technical Vulnerability
The security flaw was fundamental and shocking in its simplicity. Tea’s Firebase database was configured with default public access settings, meaning anyone could access the data without authentication. As one Reddit user explained, “If you knew the database ID, you could just request the data and get the JSON directly containing the data”.
The exposed Firebase storage bucket URL matched one found in Tea’s Android app, confirming the authenticity of the breach. Multiple 4chan users created automated scripts to mass-download personal information from the exposed database.
Scale of the Breach
According to Tea’s official statement, the breach exposed approximately 72,000 images:
- 13,000 verification images: Selfies and government-issued IDs (including driver’s licenses) submitted during account verification
- 59,000 additional images: Photos from posts, comments, and direct messages that were publicly viewable within the app
The leaked data totaled 57+ gigabytes and included not only images but also GPS location data from where users created their accounts, effectively providing home addresses for many users.
The “Vibe Coding” Security Failure
AI-Generated Code Concerns
Security experts have attributed Tea’s vulnerability to “vibe coding” – a development practice where programmers rely heavily on AI tools like ChatGPT to generate code without rigorous security reviews. Research indicates that 48% of AI-generated code contains exploitable security flaws, yet 25% of Y Combinator startups use such code for core features.
Santiago Valdarrama and other cybersecurity experts have criticized this trend, emphasizing that AI-generated code often lacks the safeguards needed to prevent breaches. The Firebase misconfiguration that led to Tea’s breach exemplifies this risk – while Firebase provides robust security features, developers must actively configure them rather than relying on insecure defaults.
Firebase Security Best Practices
Firebase security rules determine who has read and write access to databases. By default, Firebase databases deny all access until developers customize their rules. However, Tea appears to have left its database with open access permissions, effectively making all data publicly available.
Previous research has shown this is a widespread problem. In 2021, Comparitech found that 4.8% of mobile apps using Firebase were improperly secured, affecting over 24,000 Android apps with 4.22 billion total downloads. A 2024 study by Website Planet discovered over 900 apps with misconfigured Firebase databases exposing 125 million user records.
Company Response and Timeline
Initial Response
Tea confirmed the breach in a statement to 404 Media on July 25, 2025, acknowledging “unauthorized access to one of our systems”. The company claimed the exposed data was from a “legacy data system” containing information from users who registered before February 2024.
Tea’s official statement emphasized: “This data was originally stored in compliance with law enforcement requirements related to cyber-bullying prevention. We have engaged third-party cybersecurity experts and are working around the clock to secure our systems”.
Contradictions in Company Claims
However, several aspects of Tea’s response have been contradicted by evidence:
- “Old Data” Claims: While Tea claimed the breach involved only data “over two years old,” leaked messages showed content from as recently as 2024 and 2025
- Privacy Policy Violations: Tea’s privacy policy states that verification selfies are “securely processed and stored only temporarily and will be deleted immediately following the completion of the verification process”. The breach revealed these images were stored for years
- Scope Minimization: Initial reports suggested the breach was limited, but the full 57GB database dump indicated comprehensive exposure of user data
Legal and Ethical Implications
Privacy Violations
The breach raises serious legal concerns under multiple frameworks:
California Privacy Laws:
- Invasion of Privacy (California Civil Code ยง1708.8): Unauthorized sharing of personal photos and information
- Cyber Harassment (California Penal Code ยง653.2): Disclosure of personally identifiable information with potential for harassment
Federal Implications:
- The breach could violate various federal privacy statutes, particularly given the sensitive nature of government ID documents exposed
App Store Policy Violations
Critics have identified multiple Apple App Store guideline violations:
- Objectionable Content (1.1.1): Apps cannot contain disturbing or offensive material
- Defamation and Harassment (1.1.2): Apps must not host defamatory content targeting individuals
- User-Generated Content (1.2): Apps must provide mechanisms to report and remove harmful content promptly
Defamation Concerns
Legal experts note that while Tea’s concept raises defamation concerns, proving cases would be challenging due to Section 230 protections for platforms and the difficulty of establishing malicious intent. However, the anonymous nature of the platform and lack of verification for claims create significant liability risks.
Industry Impact and Cultural Response
Men’s Rights Response
The breach and Tea’s concept have generated significant backlash from men’s rights communities. Reddit’s r/MensRights forum created megathreads discussing the app, with users sharing strategies for removing posts and expressing concerns about false accusations.
Some users have successfully removed their information by filing copyright complaints with Apple, arguing they own the rights to their selfies posted without consent. This approach leverages Apple’s dispute resolution process to force Tea to respond to takedown requests.
Broader Dating App Industry
Tea’s rise reflects broader frustrations with traditional dating platforms. A 2024 Forbes survey found that 75% of Gen Z participants were either taking breaks from dating apps or using them less frequently, citing issues like ghosting and lack of genuine connection.
The app’s popularity coincided with growing concerns about dating app safety, particularly for women. However, critics argue that Tea’s approach may exacerbate rather than solve underlying trust issues in digital dating.
Copycat Applications
Tea’s viral success spawned several imitators, including men-only applications designed to rate women. However, many of these were quickly removed from app stores due to inappropriate content, highlighting the double standards and potential for abuse in anonymous rating systems.
Security Implications for the Industry
Firebase Misconfiguration Epidemic
Tea’s breach highlights a broader pattern of Firebase security misconfigurations. The incident joins a growing list of similar breaches:
- 2024: Over 900 websites exposed 125 million records through misconfigured Firebase databases
- 2021: More than 24,000 Android apps leaked sensitive data through Firebase vulnerabilities
- 2020: Researchers found 4,000+ Android apps with improperly secured Firebase databases34
Identity Verification Risks
The breach underscores the inherent risks in mandating identity verification for online services. As the R Street Institute noted, “efforts to mandate age and identity verification online can pose significant risks to user privacy, regardless of the claims that providers make about how your data is handled”.
The exposure of government-issued IDs creates particular risks for identity theft, stalking, and targeted harassment. Cybersecurity expert Trey Ford warned that “connecting usernames to actual legal names and home addresses exposes these women to a variety of concerns. Identity theft is only the tip of this iceberg”.
Long-Term Consequences and Lessons
User Impact
The breach has severe implications for affected users
- Identity Theft Risk: Exposed driver’s licenses and government IDs enable sophisticated identity theft schemes
- Stalking and Harassment: GPS location data combined with photos and IDs creates significant personal safety risks
- Reputation Damage: The irony that an app designed to protect women’s safety instead exposed them to greater dangers
Industry Lessons
The Tea app breach offers several critical lessons:
- Security-First Development: The incident demonstrates why security cannot be an afterthought, particularly for apps handling sensitive personal data
- AI Code Review: The potential role of “vibe coding” in the breach highlights the need for rigorous security reviews of AI-generated code
- Default Security Settings: Cloud platforms should prioritize secure defaults over developer convenience
- Identity Verification Alternatives: The breach questions the safety of requiring government ID uploads for app verification
Regulatory Response
The incident comes as regulators are increasingly scrutinizing AI development practices. The EU AI Act has classified some “vibe coding” practices as “high-risk AI systems,” requiring additional compliance measures. This regulatory pressure may accelerate the adoption of more rigorous security practices in AI-assisted development.
Conclusion
The Tea app data breach represents a perfect storm of modern digital vulnerabilities: explosive viral growth, AI-assisted development shortcuts, misconfigured cloud infrastructure, and inadequate security practices. The incident exposed the personal information of hundreds of thousands of women who trusted the app to protect their safety, instead making them more vulnerable to the very threats they sought to avoid.
The breach serves as a cautionary tale for the broader tech industry, highlighting the critical importance of security-first development practices, proper cloud configuration, and the risks inherent in requiring users to submit sensitive identity documents. As dating apps and other platforms increasingly rely on identity verification systems, the Tea incident demonstrates that the cure can sometimes be worse than the disease.
For users, the breach underscores the importance of carefully evaluating any app that requests sensitive personal information, particularly newer platforms with limited security track records. The incident also highlights the ongoing tension between privacy, safety, and accountability in digital dating platforms – tensions that are unlikely to be resolved by technology alone.
The Tea app’s rise and fall within a matter of days illustrates both the potential and perils of viral social media success in an era where security practices have not kept pace with the speed of digital innovation.
