Tea App’s Second Breach: 1 Million+ Private Messages Exposed, Including Sensitive Discussions
The saga surrounding the Tea app—marketed as a safe haven for women—has now escalated into a second major data breach within a week, and this time the implications are far more severe. An independent cybersecurity expert uncovered a vulnerability in the app’s API that granted access to a massive trove of private user conversations. These included sensitive discussions about abortions, infidelity, phone numbers, and other deeply personal information that users had presumed strictly confidential. Alarmingly, the researcher also found it was possible to send push notifications to all registered users.
While Tea’s representatives had previously claimed that a past incident involved only an “outdated two-year-old data store,” the latest breach affects current data, with messages dating up to July 2025. The researcher provided a copy of the database—containing over 1.1 million messages—to journalists at 404 Media. The authenticity of the data was confirmed: usernames found in the leak are already registered, preventing new account creation with those identities.
Tea aims to provide a platform where women can share information about men to help mitigate risks in dating. Membership requires users to verify their female identity through a selfie. However, the app’s approach to security has proven to be alarmingly negligent. Conversations once believed to be private were found to be readily accessible—and, in many cases, included phone numbers and social media links, making it easy to trace users’ real identities.
These conversations were far from trivial. Among them were confessions about abortions, revelations of double lives, and connections between women unknowingly dating the same man. One message described a woman discovering her husband’s presence on the app. In another, a bride-to-be sought to determine her fiancé’s fidelity. In one group chat, users compared photos of a partner’s car to verify if they were all involved with the same individual.
Unlike the first leak, which stemmed from an unsecured Firebase instance and exposed tens of thousands of photos and documents, this breach allowed anyone with a user API key to access live data. The vulnerability was patched only at the end of last week.
Beyond unauthorized message access, users on 4chan exploited the data to build a public ranking system, encouraging others to vote on who looked “more attractive” based on selfies uploaded to the app. These images—and even ID documents—became fodder for ridicule and harassment, with some pictures receiving tens of thousands of votes.
Tea claims it is actively investigating the incident with assistance from third-party experts and is cooperating with law enforcement. However, given the sensitivity of the exposed data and the app’s intended purpose, the damage to the privacy and dignity of its users—primarily women—may be irreversible.
