In July 2025, a 4chan user posted a simple Python script. Within hours, thousands of women’s driver’s licenses, selfies, and intimate conversations were spreading across the dark corners of the internet. The source? An app that promised to be their digital guardian angel.
Tea Dating Advice burst onto the scene in 2023 with an audacious promise: to create a safe space where women could anonymously warn each other about potentially dangerous men. Think Yelp, but for dating—complete with “red flag” and “green flag” ratings, background check capabilities, and a women-only verification system requiring government ID and facial recognition. By July 2025, the app had rocketed to the top of Apple’s App Store charts, boasting millions of users who believed they’d found a technological solution to dating’s oldest problem: how to stay safe while seeking connection.
But in a twist worthy of a Black Mirror episode, the very platform designed to protect women from predators became the vehicle for their mass exposure. The breach that unfolded over several days in mid-2025 didn’t just leak data—it shattered the fundamental trust upon which the entire platform was built.
The initial breach began when hackers discovered an unsecured Firebase database and leaked over 72,000 images to 4chan, including sensitive selfies, user-uploaded photos, and government ID scans. Within days, the situation spiraled out of control even further. Security researcher Kasra Rahjerdi uncovered a second, even more devastating vulnerability: over 1.1 million direct messages were accessible through the app’s API, many containing intimate conversations about relationships, discussions of abuse, abortion experiences, and personal safety concerns. Some messages were as recent as the week of discovery, contradicting the company’s initial attempts to minimize the breach as involving only “legacy data.”
Tea’s response revealed troubling gaps in their data governance. The company confirmed that the breach affected only users who signed up before February 2024, a cohort whose data was stored in legacy systems that hadn’t been migrated to newer security protocols. But this admission raised more questions than it answered. Why were verification photos—which the company claimed would be immediately deleted—still stored in accessible databases? Why hadn’t critical security updates been applied to systems containing such sensitive information?
The legal reckoning came swiftly and forcefully. Five federal class-action lawsuits have now been consolidated by U.S. Magistrate Judge Alex G. Tse in the Northern District of California, with additional cases pending in state courts. The plaintiffs include a single mother fleeing domestic violence and a woman who had used the app to warn others about an alleged sexual predator—users who now face the terrifying prospect of their abusers discovering their whereabouts and activities. The lawsuits allege Tea Dating Advice Inc. failed to implement reasonable data security measures and fundamentally misrepresented its commitment to user privacy and safety.
This breach exemplifies a systemic problem plaguing Silicon Valley’s “move fast and break things” mentality when applied to sensitive user data. Kasra Rahjerdi’s discovery that any authenticated user could potentially access the entire message database through simple API calls demonstrates how rapidly scaling platforms often treat security as an afterthought rather than a foundation. The incident highlights how many startups, under intense pressure from investors to achieve explosive growth, build on technical debt that becomes catastrophic when exploited.
The platform’s use of an unsecured Firebase database—a rookie mistake that security professionals compare to leaving your front door not just unlocked but wide open—suggests a fundamental disconnect between Tea’s marketing promises and its technical reality. The company collected some of the most sensitive data imaginable: government IDs linking real names to anonymous accounts, selfies for biometric verification, and conversations about personal trauma and safety concerns. Yet it stored this treasure trove of sensitive information with security measures that wouldn’t pass muster at a college hackathon.
The ethical implications extend beyond technical failures. The incident has ignited fierce debate about the responsibilities of platforms that position themselves as safety tools while potentially creating new vulnerabilities. Critics point out that Tea’s model—encouraging anonymous accusations with no verification or right of response—was always ethically fraught. The breach has transformed what was already a controversial platform into a cautionary tale about the dangers of surveillance capitalism dressed up as sisterhood.
Perhaps most troublingly, despite the massive breach and ongoing lawsuits, Tea remains among the top-ranked apps in app stores. This persistent popularity suggests a disturbing calculus that many users seem to make: accepting significant privacy risks in exchange for perceived immediate safety benefits. It raises profound questions about informed consent in an era where the full implications of data sharing remain opaque to most users.
The question that haunts this story isn’t just how Tea failed its users, but what it reveals about our entire app ecosystem: How many other platforms are one malicious actor away from catastrophic exposure?
Why This Matters to Cybersecurity, Information Governance, and eDiscovery Professionals
This incident offers critical lessons across multiple professional domains. For cybersecurity professionals, it highlights how API vulnerabilities and unsecured databases continue to be low-hanging fruit for attackers. For information governance specialists, it underscores the importance of data minimization and retention policies—keeping sensitive data “for law enforcement” without proper security is a liability, not a feature. For eDiscovery experts, the case presents a masterclass in digital evidence complexity, featuring consolidated multi-jurisdictional lawsuits, massive data volumes, and the challenge of preserving evidence while protecting the privacy of victims. As platforms continue to collect increasingly intimate user data, the Tea breach serves as both a warning and a wake-up call: security isn’t optional when lives and safety hang in the balance.
Assisted by GAI and LLM Technologies
Source: HaystackID published with permission from ComplexDiscovery OÜ
