NEW YORK, NY – The "Tea app," a popular women's dating safety platform, has suffered a significant data breach, exposing approximately 72,000 user images, including government-issued identification and verification selfies. The breach, which came to light on July 25, 2025, stemmed from an improperly secured Firebase database that reportedly lacked authentication.
The vulnerability was first highlighted by a social media user, "Lain on the Blockchain," who stated in a tweet, > "TLDR the Tea app stores everyone's photo and ID unencrypted in a public firebase storage bucket." The tweet further questioned, > "Was this vibe coded?" suggesting a lack of rigorous security practices in the app's development.
Reports indicate that the exposed data includes around 13,000 verification selfies and IDs, alongside tens of thousands of other user-generated images and direct messages. While Tea stated that the compromised information was from a "legacy data system" dating back over two years, some reports suggest more recent data from 2024 and 2025 was also exposed. This sensitive data, including driver's licenses, was reportedly accessible without authentication.
The Tea app, which recently topped Apple's App Store charts, requires new users to submit a verification selfie and a photo of their government-issued ID to ensure a female-only user base. This requirement meant highly sensitive personal information was stored, making the security lapse particularly critical. The breach has led to concerns about identity theft, doxxing, and harassment, with some reports indicating that leaked data is being shared on anonymous forums like 4chan.
In response to the incident, Tea confirmed unauthorized access to one of its systems and announced a full investigation to assess the scope and impact. The company stated it is taking "every necessary step to ensure the security of our platform and prevent further exposure" and has engaged cybersecurity specialists. The incident underscores the critical importance of robust data security, especially for applications handling sensitive user verification data.