The Tea app breach has escalated, with stolen data now circulating on hacking forums and a newly discovered database exposing more than 1.1 million private messages exchanged between users. Tea, positioned as a women-only safety-focused review platform, requires users to verify identity using biometric selfies and government-issued credentials.
Late last week, reports emerged of an unsecured Firebase storage bucket holding not just verification documents but all sorts of user-uploaded images. An anonymous tipster on 4chan posted both the details and a script for downloading the files before the bucket was secured.
Tea acknowledged that a legacy storage system was compromised, affecting accounts created before February 2024. The exposed trove includes nearly 72,000 images, 13,000 of which are selfies or identification, with the remainder from messages and posts, totaling over 59 GB of personal data. The platform explained that some verification selfies were kept to fulfill obligations tied to the prevention of cyber-bullying.
The situation worsened with findings by 404 Media: a second open database contained over a million private messages sent as recently as last week, many touching on sensitive topics. Security researchers discovered that the data could be accessed by any user with a valid API key. Personal details and identifying information were present across these messages.
Threat actors have weaponized the data, leaking archives and enabling phishing and social engineering. BleepingComputer confirmed the exposed files include high-assurance identifiers like driver’s licenses, facial photos, and media attachments.
The situation worsened with findings by 404 Media: a second open database contained over a million private messages sent as recently as last week, many touching on sensitive topics. Security researchers discovered that the data could be accessed by any user with a valid API key. The content includes highly sensitive discussions, some containing PII like phone numbers or linked accounts.
What started as a safety resource for women is now being weaponized; attackers have even set up sites inviting people to rate the leaked selfies. Tea says it’s working with cybersecurity firms and law enforcement to investigate and contain the fallout.
To worsen matters, attackers have launched a voyeuristic site encouraging visitors to rate leaked selfies. Tea has also confirmed that some direct messages (DMs) were among the data accessed in the initial breach. In response, the company has taken the affected system offline as a precaution and reports no evidence of broader access into its environment so far. The investigation remains active, with Tea promising timely updates as more is learned. The team states that it is focused on strengthening security and plans to introduce additional protections soon. Impacted users will be offered free identity protection services as the company works to notify those at risk. The probe remains ongoing.
