Renben Logo
Back to Blogs
Others

The Tea App Data Breach Incident

Sayantan Dasgupta
August 26, 2025
The Tea App Data Breach Incident

What Happened

Recently, everyone has been talking about the Tea app data breach incident. Thousands of images of women were leaked, along with their IP addresses—a major concern since IPs can be linked directly to locations.

All this happened while the company was claiming to be completely safe for women. According to the Tea website, the app was designed so that only women could sign up, verify themselves via driving licenses or selfies, and then help other women avoid “red-flag” men.

What is Tea?

Tea is an aromatic beverage prepared by pouring hot or boiling water over cured or fresh leaves of Camellia sinensis... — Wikipedia

Just kidding.

The Tea we’re talking about is the Tea dating app, which claimed to provide dating safety tools that protect women.

Claimed Safety Features

  • Anonymity
  • Verified accounts (women only)
  • Government ID or selfie verification

Instead of names, users were assigned random usernames to anonymously call out men on the app. In theory, it worked as a digital shield against creepy or scammy people online.

This was a good initiative—until user data ended up publicly exposed on 4chan, including verification selfies (faces alongside government IDs), which the company claimed were deleted after verification.

What Got Leaked?

The Tea app breach happened in two phases:

Phase 1: Verification Data

  • Verification selfies + government IDs were leaked.
  • Though the app claimed data was deleted after signup, it was only a soft delete—the files still existed.
  • The images contained metadata such as:
    • IP addresses
    • Locations

This meant attackers could directly identify user locations—an alarming risk for women.

Phase 2: Messages

  • User messages, including deleted ones, were leaked.
  • This indicates no proper encryption (messages should have been end-to-end encrypted).

The How (Root Cause)

If your app’s USP is anonymity and safety, security should be your first priority. Tea failed here.

After the incident, the company issued a notice claiming only users signing up after Jan 2024 were affected. Why? Because they had migrated their database to Firebase.

Firebase Misconfiguration

  • Firebase allows security misconfigurations without warnings.
  • According to env.fail, Firebase misconfigurations have exposed ~125M records across 900 websites.
  • By scanning .js bundles, researchers found many Firebase collections with public read access.

Tea made things worse:

  • No proper authentication or authorization.
  • Anyone with the collection link could fetch all user JSON data.

Learnings

The Tea app failed due to several security misconfigurations combined with Firebase’s weaknesses:

  • Misconfigured security rules.
  • Over-reliance on Firebase as a backend-as-a-service (BaaS).
  • No backend server to validate requests.

Why This Matters

  • Firebase isn’t inherently insecure, but without a backend server, apps can’t enforce proper authentication & authorization.
  • This left Tea’s Firebase collections exposed and exploitable.

Key Takeaways

  • Always treat user data with the highest level of security.
  • Soft deletes are not true deletes.
  • End-to-end encryption is non-negotiable for sensitive data like messages.
  • Don’t blindly trust backend-as-a-service—implement your own backend validation layer.
  • No system is 100% hack-proof, but security must be prioritized early in development to reduce risks.