The Tea platform suffered from two major data leaks. First, an unprotected Firebase database containing users’ personal information was discovered on 4chan, and then a second database was found containing 1.1 million personal messages exchanged by users.
Tea is a platform primarily oriented towards women. It is a closed community where all participants remain anonymous but must undergo verification by providing selfies and documents to confirm their identity, ensuring security and confidentiality. In essence, Tea allows users to verify information about potential partners and share “reviews” about men, such as experiences from conversations and dates. It also enables the checking of information for fraud and fakes, secret marriages, criminal records, and so on.
At the end of last week, information appeared on 4chan that Tea is using an unsecured Firebase storage, where photos of documents and selfies, which users upload to the platform for identity verification, can be found, as well as photos and images they share with each other in comments.
An anonymous user shared a Python script that could be used to download data from the now secured database.
In total, this leak exposed more than 59 GB of data, and Tea representatives confirmed that the issue affected users who registered with the app before 2024.
“The dataset includes about 72,000 images, including approximately 13,000 selfies and photos provided by users for account verification, as well as around 59,000 images publicly available in the app in posts, comments, and private messages,” platform representatives reported.
Tea explained that selfies were not deleted due to law enforcement requirements related to preventing cyberbullying.
As a result, torrents with leaked data (users’ driver’s licenses, selfies, and message attachments) began to appear on the web and hacker forums, potentially threatening app participants with phishing attacks.
However, the story did not end there. According to 404 Media, another unprotected Tea database has now been found online, containing 1.1 million personal messages exchanged by users.
This database contains updated data from 2023 up until last week. According to journalists, the database includes messages discussing highly sensitive topics, including abortions, infidelity, and polygamous men. In some cases, women exchanged phone numbers to continue conversations outside the platform.
As explained to the publication by cybersecurity researcher Kasra Rahjerdi, who discovered the new leak, any Tea user could access stored data of other people using their own API key. The researcher also stated that he found a way to send push notifications to all Tea users.
As noted by 404 Media, it is now possible to identify Tea users through social media profiles, phone numbers, and other personal data leaked due to the breach. Consequently, the platform, which was meant to be a safe space for women, has turned into a tool for bullying. For instance, websites are already emerging online offering to rate selfies of Tea users, taken from the leaked data. These websites even publish rankings of the 50 best and 50 worst.
Tea representatives stated that they continue to collaborate with third-party cybersecurity experts to localize the incidents and conduct an investigation. The company has also notified law enforcement agencies about the situation, and they are assisting with the investigation as well.
As reported by the company to journalists from Bleeping Computer, the compromised personal messaging system is currently disabled for security reasons.
“At the moment, we have found no evidence of access to other parts of our infrastructure. The investigation is still ongoing, and we will strive to provide timely updates on its results as information becomes available. Our team continues to work on strengthening the security of the Tea App, and we look forward to sharing these improvements soon. In the meantime, we are focused on identifying users whose personal data was affected by the [leak], and we are offering them free identity theft protection services,” Tea representatives stated.
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →