Tea App Breach Escalates: Second Database Exposes 1.1 Million Private Chats

What began as a disturbing data leak has evolved into a full-scale privacy catastrophe for users of the Tea app—a platform designed as a women-only space for dating safety reviews. Security researchers have confirmed that two separate databases were compromised, exposing highly sensitive user data and shattering the platform's core promise of confidentiality.

The Initial Firebase Failure

The first breach stemmed from a severely misconfigured Firebase storage bucket left publicly accessible. As reported by BleepingComputer, an anonymous 4chan user shared a Python script capable of downloading over 59GB of verification documents, including:

• 13,000 selfies and government IDs (driver's licenses)
• 59,000 images from posts, comments, and DMs

Tea confirmed the exposure impacted pre-2024 users, attributing it to a "legacy data storage system." Alarmingly, the company admitted retaining verification selfies indefinitely for "law enforcement requirements"—a policy directly at odds with data minimization principles.

Escalation: Private Messages Exposed

Days later, 404 Media revealed a second, more recent database leak containing 1.1 million private messages exchanged between 2023 and July 2025. This trove includes conversations on intensely personal topics like abortions, infidelity, and relationships. Forensic analysis indicates messages contain enough personal details (phone numbers, social media handles) to identify users—turning intended anonymity into targeted vulnerability.

The Devastating Fallout

Threat actors quickly weaponized the data:

1. Torrents of the leaked IDs/selfies circulated on hacking forums, enabling social engineering and harassment.
2. A "Facesmash"-style site emerged, allowing public rating of exposed user photos.
3. Private conversations became ammunition for blackmail and public shaming.

Technical Takeaways for Developers

• Cloud Storage Configuration: The Firebase incident underscores the critical need for automated security scans of cloud buckets. Default public permissions are a known high-risk pattern.
• Data Lifecycle Management: Retaining sensitive verification data indefinitely "just in case" contradicts zero-trust design. Data should be purged post-verification unless legally mandated.
• Compartmentalization: Storing verification docs, public content, and private messages in separate, access-controlled systems could have limited blast radius.

Tea states it's working with cybersecurity experts and law enforcement, but the damage highlights a harsh truth: platforms promising safety inherit extraordinary responsibility for architectural rigor. For developers, this breach is a case study in how poor cloud hygiene and lax data governance transform protective spaces into liability engines.