Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

In a deeply troubling turn, the viral women-centric dating app Tea has suffered a second, far more severe data breach. This time, more than 1.1 million private messages have been exposed, revealing users’ most personal conversations, some as recent as late July 2025.

From Photos to Private Messages: A Deepening Crisis

Tea, known for empowering women to anonymously share red flags and dating experiences, initially disclosed a breach on July 25, 2025, involving approximately 72,000 images. These included 13,000 selfies or photo IDs submitted during verification, along with 59,000 images from posts, comments, and private messages.

However, independent security researcher Kasra Rahjerdi uncovered a separate incident in which a Firebase database revealed over 1.1 million private chats, spanning from early 2023 to July 2025. These chats contained extremely sensitive content, including discussions about abusive relationships, infidelity, divorce, abortion, rape, and exchanged personal contact details like phone numbers and meeting locations.

Privacy Promises Broken and Real-World Risks

Tea had previously claimed that only legacy data from before February 2024 was involved in the initial breach. Rahjerdi’s findings contradicted this, showing recent and ongoing message activity had also been compromised. Worse still, the exposed Firebase environment allowed nearly unrestricted access via an unprotected API key.

Some attackers created websites ranking stolen selfies, and one even mapped data points on Google Maps, exposing users' approximate real-world locations. These developments sparked grave concerns around stalking, identity theft, and doxxing.

Tech Oversight or Systemic Neglect?

While Tea’s core app infrastructure was secured, its backend Firebase database lacked basic security controls such as proper authentication and encryption. Experts believe this reflects a broader issue in the tech industry where product growth is often prioritized over cybersecurity.

Ted Miracco, CEO of Approov, noted this was not just a technical oversight but a failure in security culture, common in early-stage tech startups focused on rapid scaling.

Legal Fallout Mounts

The incident has triggered two class-action lawsuits in California. One plaintiff is seeking injunctive relief and security reforms, while another woman, who used Tea to warn others about harmful partners, alleges her privacy was violated. Both lawsuits cite negligence, breach of contract, and violations of the California Consumer Privacy Act (CCPA).

What Tea Is Saying and Doing

Tea responded by taking its messaging system offline and bringing in external cybersecurity experts along with the FBI to investigate. The company has also begun offering free identity protection services to affected users. According to the company, the direct messaging feature is temporarily unavailable as a precaution.

A spokesperson emphasized that, based on current findings, no additional systems were affected beyond the compromised image and message databases.

Why This Matters

• Breach of trust: Tea was marketed as a safe space for women to speak freely and confidentially about dating experiences. This trust has been deeply damaged.
• Security blind spots: The breach highlights a common risk in app development where backend systems like Firebase are left vulnerable.
• Wider implications: Many observers believe the targeting of Tea reflects a cultural backlash against women using tech platforms to hold men accountable.

In Summary

Tea launched with the intention of giving women a voice and community. Instead, it has become a cautionary tale about the dangers of weak cybersecurity and the devastating real-world consequences of data leaks. What began as a platform for empowerment now faces an uphill battle for credibility and recovery.

Stay with us for updates on: DPDP Consultants Newsletter