Forbidden Skill #149 Dating App Privacy Practice: Clients & Businesses

Tea is a women-only, anonymous dating-safety app that gained popularity in 2023 and became one of the top free apps on the U.S. Apple App Store by mid‑2025. It’s designed to help women vet men they’ve dated or plan to date, share “red flag” warnings, run informal background checks, and seek advice or solidarity within a community of other women.

The popular women-only dating safety app, Tea, is now under intense scrutiny following a massive data breach that exposed tens of thousands of user ID photos and over a million private messages. The app, designed to help women anonymously share experiences and warnings about men they've dated, now faces backlash for failing to protect its users’ most sensitive data.

The breach, which came to light earlier this month, affected users who joined the platform before February 2024 and had submitted identity documents such as driver's licenses for account verification. A misconfigured Google Firebase storage system left this sensitive data publicly accessible. Investigators say that roughly images of 3,000 government-issued IDs and selfies, along with 59,000 user-uploaded images including posts, comments, and private messages and 1.1 million private messages, were exposed.

Among the leaked content were personal messages describing abusive relationships, instances of assault, infidelity, and emotionally vulnerable disclosures. Some messages also contained users’ real names, phone numbers, and links to their social media profiles—raising serious concerns about the potential for harassment, stalking, and identity theft.

Tea’s founders have since taken the app’s direct messaging system offline and notified law enforcement, including the FBI. Impacted users have been offered free identity protection services, and the company has launched an internal security audit. Despite these efforts, the damage may already be done for thousands who trusted the app to keep their identities and stories private.

How the Breach Happened

The leak appears to stem from legacy systems that were still storing user data collected during sign-up. Although Tea’s policy claimed all identity documents would be deleted after verification, many of these files remained accessible due to lax security protocols. Attackers discovered that by using internal API keys or directly accessing the unprotected Firebase storage bucket, they could retrieve these sensitive files.

A second exposure—discovered shortly after the image leak—revealed that direct messages sent between users since early 2023 were also accessible without proper authorization. The cumulative impact of both incidents marks one of the most significant privacy failures in the history of dating-related apps.

What Could Users Have Done Differently?

While the primary responsibility lies with the app’s developers and infrastructure, privacy advocates say users can take steps to protect themselves on apps that require identity verification or expose personal information.

1. Use a Passport Instead of a Driver’s License
When ID verification is required, a passport may be a safer choice than a driver’s license. Unlike licenses, passports typically exclude your home address, reducing the risk of physical doxxing in case of a leak.

2. Use an Alias or PO Box Address
Some apps may collect mailing addresses for verification or profile purposes. In these cases, consider using a PO Box or alias address—such as one provided through a virtual mailbox service—to avoid exposing your actual residence.

3. Register with a Burner Phone Number
Apps that request or verify phone numbers can be navigated safely by using burner phone apps or secondary phone numbers, such as those provided by Google Voice, MySudo, or Burner. This ensures your primary number stays private, even if app databases are breached.

4. Avoid Linking Social Media or Email with Identifiable Info
Be cautious about linking external accounts, even for sign-in convenience. If a breach occurs, these connections can lead attackers directly to your online presence.

The Bigger Picture

The Tea App was built on a noble premise: to provide a private, woman-only space for sharing experiences and warning others about potentially dangerous individuals. But the very nature of its mission also means that users are trusting it with their most sensitive information. That trust has now been broken.

Cybersecurity experts warn that as more apps handle sensitive data—especially those tied to identity verification or community-driven accountability—they must do more to secure backend systems and provide transparency around data retention policies.

As for users, the events surrounding the Tea App breach serve as a stark reminder that privacy online is never guaranteed. Taking proactive steps to obscure personally identifiable information could be the difference between safety and serious personal risk.

What to Do If You Used Tea Before February 2024

• Monitor your credit and online presence using identity protection services.

• Request a replacement for any driver’s license that may have been exposed.

• Change any passwords or linked accounts used with the Tea App.

• Report any threats or suspicious behavior to law enforcement.

If you're considering using apps that require verification or handle sensitive topics, be sure to ask: What do they really do with your data? And what can you do to stay a step ahead?

Thank you for visiting.

I specialize in corporate training and supplying security, privacy, and asset management products as well as private consultations and general custom group & corporate training for individuals, professionals, & businesses.

Find me on IG @ReadyResourceSupply

If you have any questions please don’t hesitate to message me, thank you!