On 25 July 2025, the US-based dating app Tea Dating Advice (The Tea app) suffered a major data breach exposing 72,000 verification images (selfies, ID photos, screenshots) and later 1.1 million private messages containing user locations, phone numbers, and personal conversations. The leaked data, posted on 4chan, included sensitive identity documents and biometric information from users who signed up before February 2024. The breach occurred as the app surged in popularity, reaching #1 in the US Apple Store, and coincided with the UK’s rollout of mandatory age verification under the Online Safety Act 2023, which requires similar ID uploads. The exposed data poses severe risks of fraud, identity theft, reputational harm, and legal repercussions, with multiple lawsuits already filed. The incident highlights vulnerabilities in platforms handling high-value verified identity data, making them prime targets for cybercriminals. The breach’s scale and sensitivity of compromised information linking real identities to online activity amplify its severity, with potential long-term consequences for affected users and the company’s compliance under GDPR and other regulations.
TPRM report: https://www.rankiteo.com/company/tea-dating-safety-for-women
"id": "tea4692846102225",
"linkid": "tea-dating-safety-for-women",
"type": "Breach",
"date": "6/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '72,000 (images) + 1.1 million '
'(messages)',
'industry': 'Dating/Social Media',
'location': 'United States',
'name': 'Tea Dating Advice (The Tea App)',
'type': 'Mobile Application'}],
'data_breach': {'data_exfiltration': ['Data posted on 4chan'],
'file_types_exposed': ['Images (JPEG/PNG)', 'Text messages'],
'number_of_records_exposed': ['72,000 (images)',
'1,100,000 (messages)'],
'personally_identifiable_information': ['Names (linked to '
'IDs)',
'Phone numbers',
'Locations',
'Biometric data '
'(selfies)'],
'sensitivity_of_data': ['High (PII, biometric data, identity '
'documents)'],
'type_of_data_compromised': ['Biometric data (selfies)',
'Identity documents (ID photos)',
'Private messages',
'User locations',
'Phone numbers',
'App screenshots']},
'date_detected': '2025-07-25',
'date_publicly_disclosed': '2025-07-25',
'description': 'On 25 July 2025, the US-based dating app Tea Dating Advice '
'(the Tea app) confirmed a major data breach where an '
'estimated 72,000 images (verification selfies, uploaded ID '
'photos, and app screenshots) were accessed by unauthorized '
'parties and posted on 4chan. A second breach on 28 July 2025 '
'exposed 1.1 million private messages, including user '
'locations and phone numbers. The breach involved data from '
'users who signed up before February 2024, raising concerns '
'about fraud and identity theft. Multiple lawsuits have since '
'been filed against the app’s publishers.',
'impact': {'brand_reputation_impact': ['Severe reputational harm due to '
'exposure of sensitive personal data'],
'customer_complaints': ['Multiple lawsuits filed'],
'data_compromised': ['72,000 images (verification selfies, ID '
'photos, app screenshots)',
'1.1 million private messages (including '
'locations, phone numbers)'],
'identity_theft_risk': ['High (due to exposure of ID documents and '
'biometric data)'],
'legal_liabilities': ['Potential GDPR violations',
'Multiple lawsuits'],
'operational_impact': ['Legal lawsuits', 'Reputational damage']},
'initial_access_broker': {'data_sold_on_dark_web': ['Data posted on 4chan '
'(potential for further '
'distribution)'],
'high_value_targets': ['User verification data '
'(selfies, IDs)',
'Private messages']},
'investigation_status': 'Ongoing (lawsuits filed, no resolution reported)',
'lessons_learned': ['Collecting sensitive personal data (e.g., ID documents, '
'biometric info) significantly increases breach risks and '
'stakes.',
'Outsourcing ID verification to third parties does not '
'absolve companies of responsibility under GDPR.',
'Companies must revisit compliance and incident response '
'plans when handling new types of high-value data (e.g., '
'verified identity data).',
'Data minimization, retention policies, and vendor due '
'diligence are critical to mitigating risks.',
'Breaches involving identity-linked online activity can '
'lead to higher volumes of claims (e.g., embarrassment, '
'distress, reputational damage).',
'Platforms complying with age verification laws (e.g., '
'UK’s Online Safety Act) may become prime targets for '
'cybercriminals due to the high value of verified '
'identity data.'],
'motivation': ['Financial Gain', 'Data Exfiltration', 'Fraud'],
'post_incident_analysis': {'root_causes': ['Inadequate protection of '
'sensitive verification data '
'(selfies, IDs).',
'Failure to securely delete data '
'post-verification (as claimed in '
'privacy policy).',
'Lack of safeguards for high-value '
'data (e.g., biometric/ID linkage '
'to online activity).',
'Potential third-party vendor '
'vulnerabilities (if ID '
'verification was outsourced).']},
'ransomware': {'data_exfiltration': ['Data leaked on 4chan']},
'recommendations': ['Implement robust data minimization practices to limit '
'collection and retention of sensitive data.',
'Conduct thorough vendor due diligence for third-party ID '
'verification providers.',
'Ensure clear retention periods for sensitive data (e.g., '
'temporary storage for verification only).',
'Develop and test incident response plans specifically '
'for high-risk data types (e.g., biometric/ID data).',
'Prepare for regulatory notifications and reputational '
'harm mitigation strategies.',
'Monitor dark web and anonymous forums for leaked data to '
'enable swift response.',
'Evaluate the necessity of collecting high-risk data '
'(e.g., IDs) and explore alternatives where possible.'],
'references': [{'source': 'Article on Tea Dating Advice breach and UK Online '
'Safety Act'},
{'date_accessed': '2025-06',
'source': 'Home Office Cyber Security Breaches Survey 2025'}],
'regulatory_compliance': {'legal_actions': ['Multiple lawsuits filed against '
'the app’s publishers'],
'regulations_violated': ['Potential GDPR violations '
'(if EU users affected)',
'Online Safety Act 2023 '
'(UK) implications']},
'response': {'communication_strategy': ['Public confirmation of breach',
'Media statements']},
'title': 'Tea Dating Advice (The Tea App) Data Breach',
'type': ['Data Breach', 'Unauthorized Access', 'Data Leakage']}