Tea is (was?) an extremely popular "dating safety" app designed for women who typically uploaded pictures of men they have dated, recounting their experience, and highlighting red flags. The app maintains exclusivity to women by requiring all its users to submit a selfie and government identification during the sign-up process. It was the target of a major breach a couple of days ago due to a Firebase bucket being left publicly exposed, leaking the identification data and other sensitive information for thousands of users. Now, the app has been struck with a second cybersecurity incident and it is arguably bigger than the first.
404 Media reports that a second database has leaked and it contains about 1.1 million chat messages discussing some sensitive topics that people likely wouldn"t want to make public. These include topics like cheating partners, abortions, and unfaithful boyfriends. The messages span from 2023 to last week, but the impact and scope of the leak is unclear. The person who did discover the database noted that practically any user could access the repository using their own API key.
In a statement to Bleeping Computer, Tea has confirmed the second breach too, noting that "some" direct messages (DMs) have been exposed. The company has decommissioned the affected system for now, but claims that other infrastructure remains unaffected. It has emphasized that it will invest efforts in the coming days to improve its cybersecurity posture, but did not share any further details at this time. The service will also be reaching out to its affected customers and offer them free identity protection services as a sort of an apology.
These cybersecurity incidents further highlight the need to be vigilant when sharing identifiable information online, especially with apps which are very new to the market and have not yet matured. Security researchers and analysts have cautioned the public that it is very possible to locate social media profiles of Tea users due to all the data that has been leaked.