Tea app data theft scandal worsens as stolen IDs leaked to cybercriminal forum

Cybercriminals began sharing thousands of stolen driver’s license photos this weekend after hackers breached storage tools used by a popular app for women called Tea. 

Company officials confirmed reporting from 404media that someone gained unauthorized access to one of the app’s systems early on Friday morning. 

The app was built to allow women to search men they date and find out about any past misdeeds, current partners or worse. In order to sign up, users have to upload a photo of themselves. Thousands of people simply shared an image of their driver’s license. 

A company spokesperson told Recorded Future News that preliminary findings from an investigation indicated that someone breached a “legacy data storage system containing information from prior to February 2024.” 

“Approximately 72,000 images – including approximately 13,000 images of selfies or selfies featuring a photo identification submitted during account verification and 59,000 images publicly viewable in the app from posts, comments and direct messages – were accessed without authorization,” the company said. “Only users who signed up before February 2024 were affected.”

Many of the app’s users were incensed online because on the app page asking for personal images, the company pledged to delete them once a verification process is completed. 

The company said the data that was stolen was originally archived as a compliance measure due to what it claimed were “law enforcement requirements related to cyberbullying prevention.” A spokesperson declined to respond to several followup questions about the specifics of the data storage tool used, whether the hacker reached out with a ransom and more. 

The Tea app said it has hired cybersecurity experts and is working to secure its systems. 

Concern grew on Friday when online communities antagonistic to women and the mission of the app descended on platforms like 4chan and X to announce the theft of Tea user data. 

One 4chan post claims user verification submissions were stored in a public Firebase storage bucket that did not require authentication. Firebase is a mobile and web application development platform developed by Google.

Several other experts confirmed that the storage bucket was publicly accessible before the controversy emerged 

The situation escalated on Saturday and Sunday, when some online began collating the data and using the state IDs to map out the location of Tea’s users. Some users were traced back to U.S. Army bases and before long, batches of the data appeared on cybercriminal forums. 

At least one cybercriminal forum post said 55 GB of selfies and identification documents were available. 

The app has garnered controversy for accusations that it trafficked in unverified, damaging information about men that could negatively impact them. But it became wildly popular over the last few months, with millions of new users signing up.