Tea app suffers second breach, exposing 1.1 million private messages after initial leak of ID photos

The Tea app, a women-only dating safety platform, is now grappling with a second and more invasive data breach that has exposed more than 1.1 million private messages between its members — just days after confirming a separate leak involving ID photos and user selfies.

Over the weekend, the latest breach was uncovered, compounding the fallout from an earlier incident in which a malicious actor exploited an unsecured Firebase storage bucket to access 59 gigabytes of sensitive data. That initial leak included roughly 13,000 user-submitted selfies and driver’s licenses and nearly 59,000 images from posts, comments, and direct messages.

According to reporting by 404 Media, a newly discovered and separate database has come to light, containing private messages spanning from 2023 to as recently as last week. The messages reportedly cover deeply personal and sensitive subjects such as abortions, cheating spouses, and romantic betrayal.

Security researcher Kasra Rahjerdi, who identified the second breach, said the exposed database was accessible to any Tea user through the app’s API using their API key. The database’s structure allowed for potential user identification based on details shared in messages, including social media handles, phone numbers, and other personal identifiers.

The Tea app requires users to verify their identity with a government-issued ID and a selfie to access the platform. It is designed as a review-based community where women can share experiences about men for safety purposes. The company initially disclosed the first breach last week, attributing it to a compromised legacy storage system before February 2024.

In a public statement, Tea confirmed the first breach affected users who registered before that date and involved images retained for compliance with cyberbullying-related law enforcement requests.

On Friday, an anonymous user on 4chan published details of the first breach and shared a Python script capable of downloading the exposed files before access was locked down. Since then, threat actors have circulated torrents of the stolen data on hacking forums, prompting warnings of social engineering and privacy risks for users.

The emergence of the second, more recent breach has further heightened concerns. In an update shared late Sunday with BleepingComputer, Tea confirmed that some direct messages were accessed in what it now describes as part of the original attack.

“As part of our ongoing investigation into the cybersecurity incident involving the Tea App, we have recently learned that some direct messages (DMs) were accessed as part of the initial incident,” Tea said. “Out of extreme caution, we have taken the affected system offline.”

Tea added that it has yet to find evidence of compromise beyond the exposed systems but is continuing to investigate. The company said it is working with third-party cybersecurity experts and has notified law enforcement, which is assisting in the ongoing probe. Tea also said it will offer free identity protection services to affected users as it works to identify individuals impacted by the second breach.