The Tea platform suffered from two major data leaks. First, an unprotected Firebase database containing users’ personal information was discovered on 4chan, and then a second database was found containing 1.1 million personal messages exchanged by users.
Tea is a platform primarily oriented towards women. It is a closed community where all participants remain anonymous but must undergo verification by providing selfies and documents to confirm their identity, ensuring security and confidentiality. In essence, Tea allows users to verify information about potential partners and share “reviews” about men, such as experiences from conversations and dates. It also enables the checking of information for fraud and fakes, secret marriages, criminal records, and so on.
At the end of last week, information appeared on 4chan that Tea is using an unsecured Firebase storage, where photos of documents and selfies, which users upload to the platform for identity verification, can be found, as well as photos and images they share with each other in comments.
An anonymous user shared a Python script that could be used to download data from the now secured database.
In total, this leak exposed more than 59 GB of data, and Tea representatives confirmed that the issue affected users who registered with the app before 2024.
“The dataset includes about 72,000 images, including approximately 13,000 selfies and photos provided by users for account verification, as well as around 59,000 images publicly available in the app in posts, comments, and private messages,” platform representatives reported.
Tea explained that selfies were not deleted due to law enforcement requirements related to preventing cyberbullying.
As a result, torrents with leaked data (users’ driver’s licenses, selfies, and message attachments) began to appear on the web and hacker forums, potentially threatening app participants with phishing attacks.
However, the story did not end there. According to 404 Media, another unprotected Tea database has now been found online, containing 1.1 million personal messages exchanged by users.
This database contains updated data from 2023 up until last week. According to journalists, the database includes messages discussing highly sensitive topics, including abortions, infidelity, and polygamous men. In some cases, women exchanged phone numbers to continue conversations outside the platform.
As explained to the publication by cybersecurity researcher Kasra Rahjerdi, who discovered the new leak, any Tea user could access stored data of other people using their own API key. The researcher also stated that he found a way to send push notifications to all Tea users.
As noted by 404 Media, it is now possible to identify Tea users through social media profiles, phone numbers, and other personal data leaked due to the breach. Consequently, the platform, which was meant to be a safe space for women, has turned into a tool for bullying. For instance, websites are already emerging online offering to rate selfies of Tea users, taken from the leaked data. These websites even publish rankings of the 50 best and 50 worst.
Tea representatives stated that they continue to collaborate with third-party cybersecurity experts to localize the incidents and conduct an investigation. The company has also notified law enforcement agencies about the situation, and they are assisting with the investigation as well.
As reported by the company to journalists from Bleeping Computer, the compromised personal messaging system is currently disabled for security reasons.
“At the moment, we have found no evidence of access to other parts of our infrastructure. The investigation is still ongoing, and we will strive to provide timely updates on its results as information becomes available. Our team continues to work on strengthening the security of the Tea App, and we look forward to sharing these improvements soon. In the meantime, we are focused on identifying users whose personal data was affected by the [leak], and we are offering them free identity theft protection services,” Tea representatives stated.