The Tea Dating Advice app suffered a data breach on July 25, 2025, exposing 72,000 user images (including 13,000 selfies and verification documents) and 1.1 million private messages containing identifying details (contacts, social profiles). The breach occurred due to unsecured legacy storage accessible via a public URL, with some data later surfacing on 4chan. The app, marketed as a safe space for women to discuss dating, failed to implement adequate security measures, despite handling highly sensitive personal data. The company’s delayed response updating its privacy policy only after the incident highlighted systemic negligence in data protection. The leaked data, including private conversations and verification documents, poses severe risks of identity theft, harassment, and reputational harm to users, compounded by the app’s large U.S. user base.
TPRM report: https://www.rankiteo.com/company/tea-dating-safety-for-women
"id": "tea918090225",
"linkid": "tea-dating-safety-for-women",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1+ million (users with messages '
'exposed) + 72,000 (users with '
'images exposed)',
'industry': ['social media', 'dating/advice platform'],
'location': ['primarily United States (high user '
'base)'],
'name': 'Tea Dating Advice',
'type': 'mobile application'}],
'attack_vector': ['misconfigured legacy storage system',
'publicly accessible URL'],
'customer_advisories': ['users advised to change passwords, monitor exposed '
'data on 4chan, and review privacy settings'],
'data_breach': {'data_encryption': ['no; data stored in plaintext on legacy '
'system'],
'data_exfiltration': ['yes; exposed on 4chan'],
'file_types_exposed': ['JPEG/PNG (images)',
'text (messages)',
'PDF/documents (verification files)'],
'number_of_records_exposed': ['72,000 images',
'1.1 million messages'],
'personally_identifiable_information': ['yes; contacts, '
'social profiles, '
'selfies, '
'verification '
'documents'],
'sensitivity_of_data': ['high; includes intimate dating '
'advice, verification documents, and '
'private conversations'],
'type_of_data_compromised': ['images (selfies, verification '
'documents, public posts)',
'private messages (contacts, '
'social profiles, conversations)',
'potentially PII (names, '
'usernames, linked accounts)']},
'date_detected': '2025-07-25',
'date_publicly_disclosed': '2025-08-11',
'description': "The 'Tea Dating Advice' app reported a data breach on July "
'25, 2025, involving 72,000 images of users registered before '
'February 2024 (including 13,000 selfies and documents for '
'account verification and 59,000 public images from posts, '
'comments, and direct messages). A database containing 1.1 '
'million private messages (with identifying information like '
'contacts and social profiles) from 2023 to present was also '
'breached. The unauthorized access occurred via a legacy data '
'storage system with a public URL, exposing data on 4chan. The '
'breach highlights inadequate security and privacy measures, '
"despite the app's mission to create a 'safe space' for women "
'navigating dating.',
'impact': {'brand_reputation_impact': ['severe; exposure of sensitive '
'dating/verification data on 4chan',
"loss of trust in 'safe space' "
'mission'],
'data_compromised': ['72,000 images (13,000 selfies/verification '
'documents + 59,000 public images)',
'1.1 million private messages (with contacts, '
'social profiles, conversations from '
'2023–present)'],
'identity_theft_risk': ['high; exposed PII (contacts, social '
'profiles, selfies, verification '
'documents)'],
'legal_liabilities': ['potential non-compliance with data '
'protection laws (e.g., GDPR, CCPA)',
'misalignment between stated data retention '
'purposes and actual practices'],
'operational_impact': ['investigation ongoing',
'privacy policy updates',
'reputation damage'],
'payment_information_risk': ['low; no mention of financial data '
'exposure'],
'systems_affected': ['legacy data storage system']},
'initial_access_broker': {'data_sold_on_dark_web': ['exposed on 4chan (not '
'confirmed if sold)'],
'entry_point': 'publicly accessible URL for legacy '
'data storage system',
'high_value_targets': ['user verification documents',
'private messages',
'selfies']},
'investigation_status': 'ongoing (as of 2025-09-02)',
'lessons_learned': ['Legacy systems with public URLs pose significant risks '
'and require strict access controls.',
'Data retention policies must align with stated purposes '
'(e.g., cyberbullying prevention) and be clearly '
'communicated.',
'Sensitive data (e.g., dating advice, verification '
'documents) demands robust encryption and security '
"measures beyond 'reasonable efforts'.",
'Privacy policies must be proactive, not reactive; '
'updates should precede incidents, not follow them.',
'Virality and rapid growth require scalable security '
'infrastructure to protect user trust.'],
'post_incident_analysis': {'corrective_actions': ['Updated privacy policy to '
'reflect realistic security '
'measures (2025-08-11).',
'Planned: Migration of '
'legacy data to secured '
'systems (implied by '
'investigation).',
'Planned: Enhanced user '
'authentication and '
'password policies.'],
'root_causes': ['Misconfigured legacy system with '
'public URL access.',
'Lack of encryption for stored '
'sensitive data.',
'Vague data retention policies not '
'aligned with actual practices.',
'Inadequate access controls for '
'high-risk data (e.g., '
'verification documents).',
'Delayed privacy policy updates '
'(last revision pre-dated incident '
'by ~3 years).']},
'recommendations': ['Implement zero-trust architecture for legacy systems, '
'especially those storing sensitive data.',
'Conduct regular audits of data retention practices to '
'ensure compliance with stated purposes.',
'Enhance transparency in privacy policies, explicitly '
'detailing data use, storage, and protection measures.',
'Deploy end-to-end encryption for private messages and '
'stored images.',
'Establish a dedicated security team to monitor dark '
'web/forums (e.g., 4chan) for exposed data.',
'Provide users with clear, accessible tools to request '
'data deletion or download their information.',
"Adopt a 'privacy by design' approach, integrating "
'security reviews into feature development lifecycles.'],
'references': [{'date_accessed': '2025-09-02',
'source': 'Stefano Gazzella (article author)'},
{'source': 'Kasra Rahjerdi (security researcher)'},
{'source': 'Tea Dating Advice Instagram (@theteapartygirls)',
'url': 'https://www.instagram.com/theteapartygirls/'},
{'source': 'Tea Dating Advice Privacy Policy (updated '
'2025-08-11)'}],
'regulatory_compliance': {'regulations_violated': ['potential: GDPR (EU), '
'CCPA (California), other '
'data protection laws']},
'response': {'communication_strategy': ['public disclosure via Instagram '
'(@theteapartygirls)',
'privacy policy updates '
'post-incident'],
'incident_response_plan_activated': 'yes (investigation ongoing)',
'remediation_measures': ['updated privacy policy (2025-08-11)',
'enhanced password security '
'recommendations'],
'third_party_assistance': ['security researcher Kasra Rahjerdi '
'(disclosed message database '
'breach)']},
'title': 'Tea Dating App Data Breach: 72,000 Images and Over 1 Million '
'Private Messages',
'type': ['data breach', 'unauthorized access', 'data exposure'],
'vulnerability_exploited': ['improper access controls',
'lack of encryption for stored data',
'inadequate data retention policies']}