Viral Tea App Has Had a Second Data Leak, and It’s Even Worse
Last week, the two-year-old social media app Tea, which functions as a Yelp-like platform where women can anonymously rate and review real men who can neither access nor respond to the app, experienced a massive viral surge that propelled it to the top spot on Apple’s App Store’s list of most downloaded apps. But days later, the app suffered a major data breach that exposed years of user data. Now, reports have emerged of a second breach, and it’s even worse.
The app said last week that the data was leaked about two years ago, and that information about users who joined later did not appear to be included. However, a new report from 404 Media suggests that the second breach stole private messages and other data dating back to last week.
The second data leak included more recent information.
According to a report by 404 Media, independent security researcher Kasra Rahjerdi reported a second breach, noting that “hackers were able to access messages between [Tea] users discussing abortion, cheating partners, and phone numbers they sent to each other.” This leak appears to be from a different database than the one discovered last week, and it contained much more up-to-date information.
During last week’s breach, hackers were able to view and distribute verification images, including driver’s license photos, that women submitted when signing up for the service. A spokesperson for Tea Dating Advice, Inc. confirmed to me that the app “detected unauthorized access to one of [its] systems and immediately launched a full investigation to assess the scope and impact.” Preliminary findings from the investigation indicate that “the incident involved an outdated data storage system containing information dating back more than two years. Approximately 72,000 images, including approximately 13,000 selfies and identifying photos submitted during account verification, and 59,000 publicly viewable images on the app from posts, comments, and direct messages, were accessed without permission.”
The spokesperson added: “There is currently no evidence that current or additional user data has been affected.”
After receiving this new information, I contacted Tea again today. A company representative said they had no further comment at this time.
What could a violation mean?
In its report, 404 Media makes it clear that the security flaw was discovered and flagged by an independent researcher, but there’s no way to know who else may have discovered it and not leaked it to the media. The outlet confirmed that the database contained personal, potentially sensitive information not only about the women communicating on the app, but also about the men they discussed. Some women shared phone numbers and personal details about their communications with men, accusing them of inappropriate behavior. While Tea encourages users to create anonymous names, 404 Media reported that it’s easy to link at least a few messages to real people.
What does this mean for users of the app? At this point, it is impossible to say whether this information has reached anyone else or whether it has been uploaded elsewhere. However, the information available is quite sensitive, and given that Tea users guarantee the anonymity of the app, this news is naturally upsetting to anyone who may have shared intimate details through the app.
What You Need to Know About Tea
If this is the first time you’ve heard of Tea, congratulations, because that means you’re not as internet-obsessed as I am. I hope you had a great weekend doing all sorts of things in real life. But whether you know a lot about Tea, little, or nothing at all, let me give you a quick rundown of this ill-fated app.
As noted, Tea is a Yelp-style social network that only women can join. To join, users must submit a photo verification stating that they are women (though it’s unclear how this works or what the implications are for LGBTQ+ or gender non-conforming people who might sign up). Once approved, users can search for men by name, find people they know, and leave comments about them. Users can also simply add a “red flag” or “green flag” reaction to a man. The number of red or green flags is meant to indicate to other women looking for him whether he’s a good guy or a bad guy. Like the Rotten Tomatoes ratings, there’s very little room for nuance.
In theory, men can’t access the app, so they have no recourse if they’re drowning in alarms and warnings on Tea. What’s more, they may not even know that the app has a dedicated page for them. That’s notable given that Tea announced last week that it had received more than 2.5 million new requests to join the app. That means a man’s profile is potentially visible to millions of women, whether or not he knows it exists.
Sure, you could argue that if someone doesn’t want to be a “red flag,” they should act like a “green flag.” But the lack of due process can certainly cause serious reputational damage to men who may or may not deserve it. While the app’s tagline is “Safe Dating for Women,” and it says, among other things, that users can “check backgrounds,” “spot a potential scammer,” and “make sure he’s not a sex offender,” the ability to anonymously leave comments about men is a big perk, and a big downside when used for selfish reasons to slander someone who doesn’t deserve it.
I certainly acknowledge that warning women about rapists, violent men and cheaters is a good and safe thing to do , and that rating people anonymously and not having to provide any evidence for the accusations you make against them publicly is potentially very bad.
And, of course, the fact that thousands of women’s photos and private messages were stored so insecurely by Tea that it led to multiple data breaches is, of course, very bad. No one wins here.