I Knew the Chai App Was a Problem, but I Didn’t Expect a Data Leak
If you’ve been paying attention to social media lately, you may have heard some recent buzz about Tea, an app that works like Yelp, but instead of rating and reviewing restaurants and stores, women judge the men they know. The app has been around since 2023, but for reasons I don’t understand, it shot to the top of Apple’s App Store this week. When I first heard about it, I thought it was a terrible idea. And today, my intuition was confirmed — albeit in a different way than I expected.
It appears that users of 4chan and Reddit successfully orchestrated a data leak by obtaining and distributing user verification images, including driver’s license photos, that women had submitted when signing up for the service. A spokesperson for the app confirmed to me that “Tea discovered unauthorized access to one of [its] systems and immediately launched a full investigation to assess the scope and impact.” Preliminary findings from that investigation indicate that “the incident involved an outdated data storage system containing information dating back more than two years. Approximately 72,000 images, including approximately 13,000 selfies and IDs submitted during account verification, and 59,000 publicly viewable images on the app from posts, comments, and private messages, were obtained without permission.”
Basically, it all happened very quickly, and the viral popularity went from being hacked to being hacked in just a few days. Unfortunately, I had already sent my image for verification, as I was going to write about the app that had suddenly become ubiquitous. While I am still technically writing about it, it annoys me that I might be included in the list of victims, although it seems that newly created accounts may be safe (for now).
If this is all news to you, let me, as they say, shed some light on the situation.
What is the Tea app?
Tea is an app that launched two years ago and went viral this week, becoming the most downloaded free app in the Apple App Store. Its tagline is “Safe Dating for Women .” It says, among other things, that users can “check backgrounds,” “spot a potential scammer,” and “make sure he’s not a sex offender.” A notable feature is the ability to assign a red or green flag to a man, similar to how you would add a like or a laughing emoji to someone’s Facebook status. This way, Tea says, you can “find verified men with a green flag” and avoid men with a red flag.
View this post on Instagram
In practice, it works like this: Women log into the app under anonymous names to rate and review men they’ve interacted with. You can search for a man to see what other women have said about their supposed experiences with him. The idea is that women can use the service to vet someone before a first date, learn more about a man before committing to a serious relationship, or find out if his boyfriend is cheating on him. Men aren’t allowed to register accounts on the app at all, so they have no say in what’s said about them or others.
It works similarly to the “Are We Dating the Same Guy?” Facebook groups and forums that have popped up in major cities in recent years, giving women another way to discuss the men they’ve dated while maintaining some degree of anonymity. I’ve never been a fan of these groups myself, because while I recognize the value of being able to identify abusers, cheaters, and scammers, and personally know women who have used these groups for just that purpose, including one who received a tip that helped her find legal documents supporting previous domestic violence allegations against her now-ex, I worry that the lack of any semblance of due process could seriously damage the reputations of innocent people.
I’m not advocating for victims to remain silent about their abuse, but it’s not hard to imagine that a post about a man with a history of violence or narcissism could have been written by a jealous friend, a rival co-worker, or a jilted (but otherwise unharmed) ex. Reluctance to inadvertently join the misinformed crowd has usually kept me away from such communities, but when I saw people complaining about Tea on social media last night, my interest was piqued, and I downloaded the post to see what all the fuss was about.
Data collected and what we know about the hack
When I tried to create an account, I was first greeted with a screen saying that the app is completely anonymous and that screenshots cannot be taken. I took a screenshot of the message to check, but it was empty in my camera roll. (You know that old saying that if you have to do something secretly, you probably shouldn’t do it? Yep.)
Then Tee asked me to prove I was a woman. Ignoring the strictures of that rule (and the potential repercussions for LGBTQ+ people) for now, I took a selfie with the app’s built-in camera. It was gross—I’d just finished my weekly at-home facial—but that’s what I get for getting into this mess. But I digress. (Not really: The fact that I’m upset that someone might see something unflattering and personal about me without my consent kind of highlights the problem with the app’s very premise.)
As noted, Tea issued a statement to me and our friends at CNET saying that the hacked photos were from a “legacy data system” containing information more than two years old, and that there was “no evidence” that more recent images or information had been leaked. Frankly, that doesn’t make me feel any better. The worst case scenario, in my opinion, is that the information is incorrect, and new photos have already emerged to support it. The best case scenario is that the data of another 13,000 users will be exposed. However, a Tea spokesperson says that the app developer has “engaged outside cybersecurity experts” and is working to secure the system.
“Protecting our users’ privacy and data is our top priority. Tea is taking all necessary steps to ensure the security of our platform and prevent further breaches,” she says. “We are committed to transparency and will provide updates as new information becomes available.”
Eventually, after I took the photo, the app offered me free lifetime access by inviting three other women. I sent one invitation to my phone number and two to my friends, adding the message: “Testing for work, ignore.” One of them was interested and downloaded the app. Now she’s worried about being hacked, too, and it’s my fault. When you lie with dogs…
I haven’t had a chance to try the tea yet.
After submitting my selfie, I was put on a waiting list until, presumably, someone at Tea confirmed that my photo was feminine enough for my liking. I remained on that waiting list from 7pm yesterday until today, but where the app once showed a message asking for verification, all I see now is a spinning loading icon. While the app is still available for download, my registration process appears to have stalled, though I can’t say for sure if that has anything to do with the data breach. (I’ve asked for clarification and will update this story when I hear back.)
In any case, I was never asked to provide a photo of my ID, although I’m not sure if this was the next step after I got off the selfie waitlist, or if this level of verification gradually gave way to selfies in the app. However, from what I’ve seen on social media, it’s full of ID photos of Tea users.
At some point I may still be able to access the app, and I’ll provide an update on how it’s doing then.
I saw the disaster coming.
While I didn’t expect internet reactionaries who opposed Tea’s very raison d’etre to commit a data leak out of revenge, I had a feeling things were going bad the moment I saw a few viral posts about the app. At the risk of sounding like an older millennial, I’ve been there before. In late 2013, I tried an app called Lulu , which did much the same thing. It also initially blocked men from access, and women could essentially link a man’s Facebook profile to his Lulu page without his consent. Lulu was a little more feminine and gossipy, while Tea was, they said, more security-conscious, but the basic idea was similar.
Lulu has been unavailable since a 2016 acquisition that removed the man-rating feature and then quietly disappeared from the app store. However, the app underwent a major overhaul over the years in response to initial criticism. It eventually gave men access and the ability to opt out of being rated. (Other man-rating services have also come under fire: At least one man has filed a lawsuit over his inclusion in the “Are We Dating the Same Guy?” group.)
I think the reason Tea turns me off so much is because I used Lulu in college. It revealed some unpleasant and disappointing things about some of the men in my life, but honestly, I wouldn’t have even downloaded the app if I hadn’t already had my suspicions. So what was the point of invading their privacy just to confirm what I already felt when I didn’t know? Lulu didn’t allow for detailed comments, but it did offer users a variety of coy hashtags to use to describe a man, from #GlobeTrotter to #TotalF—ingDickhead. It felt needlessly vindictive, and to make matters worse, I wasn’t just using it to evaluate potential romantic partners; out of curiosity and selfishness, I even invaded the privacy of my platonic male friends, who were horrified to learn (from me) that they had nonconsensual profiles on an app they’d never even heard of. Seeing how they had insulted themselves, I deleted the app out of guilt.
Don’t judge people
Any “Yelp for People” concept is always going to be a terrible idea, especially when it’s clumsily tied to the archaic idea that dating is nothing more than a confrontational battle of the sexes rather than a good-faith attempt to get to know potential partners who could enrich your life and delicately sidestep those who can’t.
But even foreseeing the catastrophe, I had no idea how quickly tea would collapse, or how poetically, although of course I disagree with the publication of women’s driver’s license photos as categorically (or even more so) than with the anonymous rating of men’s personalities. You could say that tea drinkers have tried the medicine themselves, but it is a medicine that no one should have taken in the first place.