A new data leak at Tea, a women-only dating app, has exposed over 1.1 million private messages, further worsening an already serious cybersecurity crisis. The leaked messages include extremely sensitive content all of which were publicly accessible online until recently.

Independent security researcher Kasra Rahjerdi confirmed the extent of the exposure, telling 404 Media that the vulnerability allowed any malicious actor to access users’ private chats and even send push notifications through the app.

“You could literally look at people’s direct messages, real-time conversations, and even send them push alerts,” Rahjerdi said.

Tea, founded in 2023, quickly gained traction as a space for women to anonymously review men they’ve dated. But that mission has been severely undermined by back-to-back breaches.

The First Breach: IDs, Photos, and User Posts Leaked

Just last week, Tea suffered its first major security incident when links to its cloud database - containing photo IDs, selfies, and images from users' posts and comments - were posted on 4chan, an anonymous image board notorious for data dumps.

The initial breach included around:

• 13,000 selfies and government-issued IDs used for account verification
• 59,000 additional images from posts, comments, and direct messages

Tea responded with an official statement stating that the breach only affected users who signed up before February 2024.

However, that statement didn’t hold up.

The Latest Breach: Real-Time Chats Leaked

In the newly discovered data breach, messages were found that were as recent as last week, directly contradicting Tea’s initial assurance. The database included real names, phone numbers, social media handles, and personal experiences. With basic online search, individuals mentioned in the chats could be identified.

Following the second breach, Tea has:

• Temporarily disabled its direct messaging feature
• Taken the affected system offline entirely
• Promised to offer free identity protection services to affected users

Why This Breach Matters for All Businesses

Even if your business isn’t in the dating or social media space, this breach offers crucial lessons on the risks of poorly managed data infrastructure and the price of losing user trust.

Here’s what businesses must take away from this incident:

• Audit and Secure Your Cloud Infrastructure

Most breaches today stem from misconfigured or open-access cloud databases. Perform regular cloud security audits, restrict public access, and enforce least privilege policies.

• Encrypt Personal Data End-to-End

If your platform supports direct messaging or stores sensitive information, use end-to-end data encryption. This ensures only the sender and recipient can read messages — not even your servers.

• Limit Data Collection

Only collect the data you absolutely need. The less data you store, the smaller your risk surface. Do you really need full photo IDs or real-time chats stored unencrypted?

• Run Penetration Tests Regularly

Hire external security teams to simulate real-world attacks. These pentests help identify vulnerabilities before hackers do.

• Establish a Breach Response Plan

Swift and transparent communication is critical as well as implementing recovery strategies. If a breach occurs, notify affected users immediately, offer support, and be clear about what happened.

Final Thoughts

The Tea App breach is a cautionary tale for any business handling user data, especially sensitive information. As 404 Media’s report shows, trust once broken is hard to rebuild.

Whether you run a fintech platform, an e-commerce store, or a SaaS product—protecting your users must come first.

Loved this? Subscribe to the Cyberkach blog for more.