Article illustration 1

In a troubling case of security negligence, TeaOnHer—a newly launched iOS app promoting itself as a male-focused response to the controversial Tea dating platform—is exposing users' most sensitive personal data. TechCrunch verified that the app leaks government-issued identification documents, selfies, email addresses, and locations due to unsecured data handling, putting tens of thousands at risk of identity theft and harassment.

The app emerged amid backlash against Tea, a women-centric platform with 6M+ users that recently suffered its own massive data breach. TeaOnHer copied Tea's App Store description nearly verbatim but replicated none of its security improvements. Instead, TechCrunch discovered at least one critical flaw allowing unrestricted access to user-submitted driver's licenses and selfies via publicly accessible URLs.

"Images of these driver’s licenses are publicly accessible web addresses, allowing anyone with the links to access them using their web browser," TechCrunch reported. In some instances, user posts were directly tied to their email addresses and real-time locations.

Article illustration 5

Cascading Security Failures

Beyond the exposed identity documents, TechCrunch identified admin credentials for the app's backend—including a plaintext password—publicly accessible on its server. These credentials could grant full system access, though TechCrunch refrained from testing them to avoid legal violations. The vulnerabilities stem from inadequate authentication protocols and reckless data storage practices.

Developed by Newville Media Corporation, led by CEO Xavier Lampkin, TeaOnHer requires ID verification but fails to protect that data. Lampkin’s own information appeared in the exposed dataset, underscoring the app's systemic flaws. With 53,000 users and climbing Apple's Top 20 free apps—surpassing Instagram and Netflix—the scale of exposure is escalating rapidly.

Ethical and Technical Red Flags

The security lapses compound ethical concerns. In "guest mode," TechCrunch observed non-consensual nude photos and derogatory posts targeting women—content that, when combined with leaked IDs, enables real-world harm. Unlike Tea, which disabled messaging after its breach, TeaOnHer lacks even basic moderation or data safeguards.

This incident highlights a dangerous pattern: apps handling sensitive personal data prioritizing rapid growth over security fundamentals. For developers, it’s a stark reminder that identity verification systems demand end-to-end encryption, strict access controls, and rigorous penetration testing—especially when processing government IDs. Regulatory scrutiny seems inevitable as these failures mount.

TechCrunch has withheld technical specifics of the vulnerabilities to prevent exploitation but confirmed the app remains available despite outreach attempts to Lampkin. Users who submitted IDs should assume their data is compromised and monitor for identity fraud. In the clash of controversial dating apps, user security remains the ultimate casualty.

Source: TechCrunch