Massive Tea app data breach: Here's what all has happened so far

What started as a simple cybersecurity incident at Tea, the viral dating safety app, has snowballed into one of the most damaging data breaches affecting women online. Over just a few days last week, what began as exposure of 72,000 images has ballooned into the leak of over 1.1 million private messages, leaving users vulnerable and the company scrambling to contain the damage.

Tea, an app that allows women to post anonymous comments about men they’ve supposedly dated, announced Friday that it has suffered a data breach, with hackers gaining access to 72,000 images. The initial breach, as reported by 404 Media, seemed manageable at first. That number includes 13,000 selfies and photo IDs submitted for account verification, as well as 59,000 images from posts, comments, and direct messages, the company said.

The publication reported that 4chan users claimed to be sharing personal data and selfies from Tea after discovering an exposed database. The intimate photos and ID documents weren’t just sitting in some hacker’s folder anymore — they were being actively shared on one of the internet’s most notorious forums.

Tea initially tried to downplay the situation, claiming the breach only affected users who signed up before February 2024 and involved old data. That narrative fell apart when a second, much worse security issue came to light just days later.

Security researcher Kasra Rahjerdi discovered a second vulnerability that was far more extensive. This separate issue, reported by 404 Media, revealed access to more than 1.1 million private messages spanning from early 2023 right up to last week. The sensitive nature of these conversations makes this breach particularly concerning for users’ safety and privacy.

The leaked messages contained deeply personal discussions about relationships, health decisions including abortion conversations, infidelity situations, and users sharing their real phone numbers with each other. Many women had assumed these chats were completely private when they shared such intimate details.

What makes this especially problematic is how easily users could be identified despite Tea’s promise of anonymity. The messages often contained real names, social media handles, and phone numbers that could lead directly back to specific individuals. Some conversations also included serious accusations against men who were named and could potentially be identified through the leaked information.

All this comes just after Tea experienced a surge in popularity and was sitting at the top of Apple’s App Store rankings. The app has around 2 million monthly users according to Sensor Tower estimates, meaning the potential impact reaches far beyond just those directly affected by the breaches.

Tea’s response has been reactive rather than proactive. After 404 Media published details about the second breach, the company quickly disabled its direct messaging feature on Tuesday and posted on Instagram that they were taking the affected systems offline “out of an abundance of caution.”

The legal consequences are already beginning. Two class-action lawsuits were filed against Tea on Monday, both alleging the company was negligent in protecting user data. For an app that built its reputation on helping women stay safe while dating, these security failures represent a fundamental breach of trust.

Tea’s users believed they were in a protected space where they could share sensitive information without risk. Instead, their most private conversations and personal photos are now potentially in the hands of bad actors who could use this information to cause real harm.