A dating safety app called Tea that allows women to do background checks on men and share that with other women has been pwned. As a result, posts, comments, and images that are tied to 1.6 million users are out there in the wild:
At 6:44 AM PST on 7/25, we identified unauthorized access to our systems and immediately launched a full investigation with assistance from external cybersecurity experts to understand the scope and impact of the incident.
A legacy data storage system was compromised, resulting in unauthorized access to a dataset from prior to February 2024. This dataset includes approximately 72,000 images, including approximately 13,000 selfies and photo identification submitted by users during account verification and approximately 59,000 images publicly viewable in the app from posts, comments and direct messages.
No email addresses or phone numbers were accessed. Only users who signed up before February 2024 were affected.
They later updated this statement with this:
As part of our ongoing investigation, we have recently learned that some direct messages (DMs) were accessed as part of the initial incident. For this reason our DM functionality is down.
To address the issue and out of an abundance of caution, we have taken the affected system offline altogether. At this time, we have found no evidence of access to other parts of our environment.
Please know that we’re committed to keeping you informed as quickly as possible. That said, because this is an active investigation involving external cybersecurity experts and the FBI, there are limits to what we can share—and when. We’ll continue to provide updates as soon as we have confirmed information and are able to do so responsibly.
Our team remains fully engaged in strengthening the Tea App’s security, and we look forward to sharing more about those enhancements soon. In the meantime, we are working to identify any users whose personal information was involved and will be offering free identity protection services to those individuals
Clearly this is bad as it could put women who use the app at risk for identity theft. I will be very interested to see how this is handled by the company. And if they can recover from this incident over the long term.
UPDATE: This has gotten worse for Tea as reports have surfaced that researchers have discovered that user info is now floating around places like the dark web. Anna Collard, SVP Content Strategy and Evangelist at cybersecurity company KnowBe4 Africa, commented:
“The Tea app data breach represents a failure in cloud security and data governance. This incident highlights how misconfigured cloud storage systems can transform what seems like a routine identity verification process, into a privacy breach with potentially lasting consequences. The stolen selfies and drivers licenses could be used by bad actors to ‘confirm’ false identities and commit identity theft. Cybersecurity is not just there for compliance, but to prevent these kinds of incidents, and data protection isn’t just a technical requirement, it’s a fundamental business responsibility that directly impacts user safety.”
Related
This entry was posted on July 30, 2025 at 11:36 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Popular Dating Safety App Tea Gets Pwned Big Time
A dating safety app called Tea that allows women to do background checks on men and share that with other women has been pwned. As a result, posts, comments, and images that are tied to 1.6 million users are out there in the wild:
At 6:44 AM PST on 7/25, we identified unauthorized access to our systems and immediately launched a full investigation with assistance from external cybersecurity experts to understand the scope and impact of the incident.
A legacy data storage system was compromised, resulting in unauthorized access to a dataset from prior to February 2024. This dataset includes approximately 72,000 images, including approximately 13,000 selfies and photo identification submitted by users during account verification and approximately 59,000 images publicly viewable in the app from posts, comments and direct messages.
No email addresses or phone numbers were accessed. Only users who signed up before February 2024 were affected.
They later updated this statement with this:
As part of our ongoing investigation, we have recently learned that some direct messages (DMs) were accessed as part of the initial incident. For this reason our DM functionality is down.
To address the issue and out of an abundance of caution, we have taken the affected system offline altogether. At this time, we have found no evidence of access to other parts of our environment.
Please know that we’re committed to keeping you informed as quickly as possible. That said, because this is an active investigation involving external cybersecurity experts and the FBI, there are limits to what we can share—and when. We’ll continue to provide updates as soon as we have confirmed information and are able to do so responsibly.
Our team remains fully engaged in strengthening the Tea App’s security, and we look forward to sharing more about those enhancements soon. In the meantime, we are working to identify any users whose personal information was involved and will be offering free identity protection services to those individuals
Clearly this is bad as it could put women who use the app at risk for identity theft. I will be very interested to see how this is handled by the company. And if they can recover from this incident over the long term.
UPDATE: This has gotten worse for Tea as reports have surfaced that researchers have discovered that user info is now floating around places like the dark web. Anna Collard, SVP Content Strategy and Evangelist at cybersecurity company KnowBe4 Africa, commented:
“The Tea app data breach represents a failure in cloud security and data governance. This incident highlights how misconfigured cloud storage systems can transform what seems like a routine identity verification process, into a privacy breach with potentially lasting consequences. The stolen selfies and drivers licenses could be used by bad actors to ‘confirm’ false identities and commit identity theft. Cybersecurity is not just there for compliance, but to prevent these kinds of incidents, and data protection isn’t just a technical requirement, it’s a fundamental business responsibility that directly impacts user safety.”
Share this:
Like this:
Related
This entry was posted on July 30, 2025 at 11:36 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.