Hackers have breached the Tea app, which recently went viral as a place for women to safely talk about men, and tens of thousands of women’s selfies and photo IDs have now seemingly been leaked online.
A spokesperson confirmed the hack Friday afternoon. The company estimates that 72,000 images, including 13,000 verification photos and images of government IDs, were accessed.
Tea is designed to function as a virtual whisper network for women, allowing them to upload photos of men and search for them by name. Users can leave comments describing specific men as a “red flag” or “green flag,” and share other information about them.
It’s gained such popularity in recent weeks that it briefly became the top free app in the Apple App Store.
Signing up for Tea requires users to take selfies, which the app says are deleted after review, to prove they are women. All users who get accepted are promised anonymity outside of the usernames they choose. Taking screenshots of what’s in the app is also blocked.
The hacker accessed a database from more than two years ago, the Tea spokesperson said, adding that “This data was originally stored in compliance with law enforcement requirements related to cyberbullying prevention.”
The Tea spokesperson said that the company has hired third-party cybersecurity experts and is “working around the clock to secure our systems.”
“Protecting our users’ privacy and data is our highest priority. Tea is taking every necessary step to ensure the security of our platform and prevent further exposure,” the spokesperson said.
On Monday, 404 Media, which was the first outlet to report the initial data breach, also reported that a second security issue had enabled access to more than 1.1 million user direct messages, spanning from early 2023 to last week. Some of those messages contained intimate personal information that made it easy to find users’ identities, according to the report.
“As part of our ongoing investigation into the cybersecurity incident involving the Tea App, we have recently learned that some direct messages (DMs) were accessed as part of the initial incident,” the Tea spokesperson confirmed on Monday. “Out of an abundance of caution, we have taken the affected system offline.”
It’s not clear if that second set of user data has leaked online. Kasra Rahjerdi, the cybersecurity researcher who brought the second breach to Tea’s attention, told NBC News that he could tell other people had previously obtained access to that database, but it’s unclear if any of them downloaded it. The vulnerability has since been fixed, Rahjerdi said, but while he had access to the database he could have sent push notifications to a number of users.
The company is now working to identify users whose personal information was compromised, the spokesperson added, and it plans to offer free identity protection services to those users.
The app’s popularity has angered some men, and prompted a thread Thursday evening on the right-wing troll message board 4Chan, in which users called for a “hack and leak” campaign. The company became aware of the initial incident early Friday, the spokesperson said.
A 4Chan user posted a link Friday morning, allegedly allowing people to download the database of stolen images, and troves of alleged victims’ identification photos have been posted on 4Chan and X.
NBC News has not verified the authenticity of the photos or their provenance.
On Google Maps, a user has created a map that purports to show the locations of Tea users that were affected by the hack, though there are no names attached to the coordinates posted.
The Tea app’s creator, Sean Cook, said on its website that he was inspired after he watched his mother’s “terrifying experience with online dating,” including being catfished and unknowingly dating men with criminal records.
On Tea, users can run background checks, search for criminal histories and reverse-search photos to check whether a man is catfishing.
The app also claims to donate 10% of its profits to the National Domestic Violence Hotline. (The hotline confirmed to NBC News that the company is a donor.)
Some men online have expressed in online posts that they fear being misrepresented or doxxed on the platform. Others, including some users of the app, have also raised concerns that the app could lead to harmful cyberbullying unrelated to actual safety concerns.
In a few online forums, men have floated the idea of creating their own men-only version of the app as payback for women’s use of Tea. One such app, called Teaborn, quickly ignited backlash after its creator called users out for posting revenge porn. The app is now removed from the App Store.
Tea said in an Instagram story last week that new signups surpassed 2 million in the span of days. Many who have posted on the app’s Instagram page said they remain on the app’s waitlist, although several commenters have expressed concerns about their data privacy in the wake of the hacking news.
