The women-focused Tea Dating Advice app suffered a data breach leading to the leak of thousands of personal images belonging to its users, the company said in a July 26 Instagram post.
“At 6:44 a.m. PST on 7/25, we identified unauthorized access to our systems and immediately launched a full investigation,” the company said in an official statement.
“A legacy data storage system was compromised, resulting in unauthorized access to a dataset from prior to February 2024.
“This dataset includes approximately 72,000 images, including approximately 13,000 selfies and photo identification submitted by users during account verification, and approximately 59,000 images publicly viewable in the app from posts, comments, and direct messages.”
Tea aims to “revolutionize dating safety” for women by providing them with necessary tools, insights, and community, according to the company, which said the app has more than 4.64 million users.
“With features like Reverse Image Search to catch catfish, Phone Number Lookup to check for hidden marriages, and Background Checks to uncover criminal records, Tea ensures that women have the information they need before meeting someone new,” the company said.
Tea clarified that no email addresses or phone numbers were stolen in the breach and said only users who signed up for the app before February 2024 were affected.
According to the company’s privacy policy, when users submit a selfie for verification purposes, it is “securely processed and stored only temporarily and will be deleted immediately following the completion of the verification process.”
In its statement, Tea said the selfies were archived to comply with law enforcement requirements related to preventing cyberbullying.
“At this time, we have no evidence to suggest that photos can be linked to specific users within the app,” the company said.
The data leak was earlier reported on the 4chan forum. However, an archived version of the 4chan post said that “Tea App uploads all user verification submissions to this public firebase storage bucket,” suggesting that information was available publicly, without any authentication required to access it.
The Epoch Times reached out to Tea for comment but did not receive a response by publication time.
Guessing the Location of Users
The app initially required selfies and IDs during registration to ensure that only women were signing up for the app, Tea said, noting that the ID requirement was removed in 2023.
According to Tea, during the early stages of developing the app, some of the legacy content was not migrated into the newer and more secure system. The hacker was able to access a link where this data was stored.
“We have engaged third-party cybersecurity experts and are working around the clock to secure our systems,” the company said. “At this time, we have implemented additional security measures and have fixed the data issue. We are currently working to determine the full nature and scope of information involved in the incident.”
Tea is listed as the second-most popular free app on iPhone as of July 28, according to App Store data, and as the No. 1 free app in the lifestyle category.
The Tea hacking incident raises questions about the safety of private information in the digital dating space. An Aug. 12 study published at the ACM Digital Library that analyzed 15 location-based dating apps concluded that these apps posed “significant data privacy risks.”
The study found that six apps—Grindr, Happn, Badoo, Bumble, Hinge, and Hily—were vulnerable to “trilateration,” a method used to approximately guess the location of users.
Many of the apps in the analysis “routinely expose personal data to other users,” the study reads.
“While users may feel compelled to share such data, there is a particular risk when APIs leak data hidden in the [user interface] as well as exact user locations, as users will not be aware that they are sharing this data, which can lead to additional harm,” it reads.
“Additionally, the apps’ privacy policies generally fail to inform users about these privacy threats and leave the burden of protecting personal (sensitive) data to the users.”
A major dating breach scandal occurred in 2015 when hackers claimed to have leaked a massive database of users from Ashley Madison, a dating website for married people.
In 2016, the Federal Trade Commission took action against Ashley Madison for the data breach, which exposed the profile information of 36 million users, according to a Dec. 14, 2016, statement.
Ashley Madison settled the case by paying $1.6 million and agreed to implement robust data security practices.
Friends Read Free
Copy
Facebook
Tweet
