Cyberattack on Tea: 72,000 Images Exposed in Women-Only Dating App

Security that becomes a vulnerability

At the height of its popularity, Tea fell victim to a cyberattack that contradicted its promise to protect women's privacy. This incident raises critical questions about how apps designed with protective intentions can end up exposing their own users. Below, we dive into the details, consequences, and key lessons.

‍

What happened? Details of the attack on Tea

On July 25, 2025, Tea confirmed that hackers breached outdated systems and accessed a database containing 72,000 images, including:

• 13,000 selfies and official document photos used for identity verification
• 59,000 images published by users in posts, comments, and private messages

The breach only affected users who registered before February 2024, according to the company.

Tea stated that no email addresses or phone numbers were compromised, and that they have hired external cybersecurity experts to reinforce their systems.

‍

The paradox of an app created to protect

Tea emerged between 2022 and 2023 as a tool to empower women and ensure safe dating experiences, offering background checks, fake profile detection, and anonymous alerts about potentially risky dates.

But this security-focused approach was undermined by:

• Outdated storage infrastructure without secure migration
• Use of unauthenticated environments, like public Firebase buckets generated automatically via AI without proper controls— a phenomenon known as “vibe coding”

‍

Risks and consequences of the attack

🔓 High impact on trust and privacy

The leak revealed extremely sensitive images, including official identity documents, posing risks of impersonation, extortion, or public exposure without consent.

Tea, positioned as a “safe” app, has lost credibility at the core of its mission.

⚖️ Legal and reputational implications

There may be liability for defamation or invasion of privacy, especially if inaccurate or harmful data about individuals is published.

This vulnerability exposes Tea to regulatory scrutiny and potential penalties for mishandling sensitive data.

‍

Key lessons and best practices for dating apps

✅ Essential cybersecurity practices

• Automatically delete unnecessary data after identity verification
• Migrate legacy systems and sensitive data to updated, secure infrastructure
• Restrict access to storage (e.g., buckets) and enforce mandatory authentication
• Conduct regular security audits and penetration tests
• Maintain human oversight over AI-generated code, avoiding insecure default settings

‍

What affected users can do

If you registered before February 2024, it is recommended that you:

• Check whether your images are circulating publicly
• Report suspicious posts on forums or social media
• Contact Tea for information about the breach, mitigation efforts, and data removal
• Take personal security measures to avoid impersonation, extortion, or phishing

‍

🛡️ Protect your platform before it’s too late

In an increasingly exposed digital environment, good intentions aren't enough—real, applied, and proactive security is essential. At Apolo Cybersecurity, we help companies, startups, and digital platforms prevent breaches like the one suffered by Tea, with a practical approach tailored to each business.

What do you get with our free consultation?

✅ Review of your current systems and exposure points
✅ Initial risk analysis tailored to your digital infrastructure
✅ Specific recommendations to protect sensitive user data
✅ Compliance assessment (GDPR, ENS, NIS2)
✅ Guidance on technical and organizational security measures

Prevention costs less than recovery. Don’t put your users’ trust or your brand’s reputation at risk.

🎯 Request your free consultation now, with no commitment, and receive a personalized initial cybersecurity report:

➡️ Click here to book your session