On July 25, 2025, the Tea Dating Adviceapp (Tea App) suffered a serious data breach. Around 72.000 images were exposed, including 13.000 selfies and ID documents used for account verification, plus 59.000 photos sharedthrough posts, comments, and direct messages.
The app boasts over 4 million users in the United States, with popularity skyrocketing in recent weeks on TikTok and the U.S. App Store (where it reached the top spot in the free downloads ranking). The breach affected only users registered before February 2024, who had not yet migrated to the new system.
The main purpose of the app was to provide a safe space for women, verified through ID documents, to share information about men’s profiles on dating apps. According to the founder of Tea App, Sean Cook, this would help uncover potential catfish (people assuming a fake digital identity) or men who were secretly married.
Was it really “hacking”?
Access to sensitive information did not require any actual system intrusion: the information was stored in the cloud, which uses specific “buckets” to contain files. These buckets, hosted on Firebase (a service offered by Google), were publicly accessible, without encryption or proper access controls. It was enough to create a program that attempted multiple URLs in sequence, saving only the valid ones.
To make matters worse, although the website stated that ID photos would be deleted immediately after verification, in many cases this did not happen, leading to their exposure. The leak also contained particularly sensitive ID documents (for example, from military personnel) as well as addresses and private messages.
The company claimed the data had been kept for legal compliance regarding cyberbullying, but security experts questioned this explanation and pointed out the negligence in handling all the information.
Trust is good, not trusting is better
Why would an app designed to protect user privacy adopt such flawed security practices? There may be multiple reasons: perhaps a lack of qualified staff, or simply underestimating the risks.
In any case, even when best practices are followed, human error can still lead to leaks of sensitive information. Is there a way we can protect ourselves?
At Dhiria, we develop end-to-end encrypted solutions that allow data to be processed without ever decrypting it: even in the event of a leak, if the data were encrypted from the moment it was received, an attacker would not be able to make use of it.
It is therefore crucial to realize that companies we entrust with our data do not always keep their promises, and having external and verifiable security guarantees is essential.
For example, thanks to Homomorphic Encryption, it is possible to create identity verification systems that process only encrypted images: the verifier never has access to the images themselves and therefore cannot expose users’ sensitive information.
Want to learn how to defend yourself against potential leaks?
At Dhiria, we explore technologies every day to protect users’ privacy. Contact us at www.dhiria.com or write to us at info@dhiria.comfor a personalized demo.
