Tea app data breach exposes 72,000 images including government IDs — and the PR response made it worse

Summary

Tea, a dating safety app that lets women report red flags about men they're dating, suffered a data breach exposing 72,000 images including 13,000 government-issued IDs and selfies. The data was stored in a publicly accessible Google Firebase database dating back to before February 2024. Tea's crisis response has become a textbook example of how not to handle disclosure.

Tea's statement, issued at 4:44 a.m. PST on July 25, deployed every corporate evasion tactic available. It offered no apology, blamed a "legacy data storage system," and claimed to have "no evidence to suggest that photos can be linked to specific users." That claim collapses immediately when the leaked data consists almost entirely of government photo identification. The statement also included run-on sentences, syntax errors, and vague corporate language like "robust and secure solution" that conveys nothing.

The breach is genuinely dangerous. Users of Tea are predominantly women checking on men they're dating, a behavior that if exposed reveals something intimate about the user's relationship insecurity. Government IDs tied to selfies and addresses create an immediate safety risk. Bad actors now have photos, names, dates of birth, driver's license numbers, and locations for thousands of women. People online have already built Google Maps pins showing where leaked users are located and created leaderboard-style galleries of the exposed photos.

What makes the response worse than the breach itself is the dishonesty. Firebase is a lightweight backend platform designed for fast development, a reasonable early choice for a startup. Tea's statement deflects by calling it "legacy" infrastructure while avoiding the core problem: the data was publicly accessible. It wasn't hacked in the traditional sense. Tea simply didn't secure it.

The timing adds another layer of irony. Tea had gone viral recently, reaching the top of the app store's lifestyle category and reportedly hitting 60 million users. The app's founder previously worked as a product leader at Salesforce. Days before the breach became public, a post circulated noting the contrast between dismissing big tech PMs as merely changing button colors and the actual difficulty of reaching the top of app charts. The post got 10,000 likes. Within days, Tea became a case study in how product talent alone cannot protect users from operational incompetence.

The company is now facing potential class action litigation. Affected users have clear damages: public embarrassment, safety concerns, and identity theft risk. While proving direct monetary harm is harder, the reputational and legal exposure is real.

Despite the breach, Tea remains ranked number two in the lifestyle category on the app store, after ChatGPT at number one. The viral nature of the hack appears to be driving new downloads. Some users are treating the leak as perverse visibility, with jokes about taking better selfies in case their photos eventually leak.

A conspiracy theory circulating on Hacker News suggests the data might be fabricated as part of investor fraud, that Tea inflated user numbers with fake accounts, generated synthetic data, and engineered a leak to create a narrative justifying the metrics. The theory rests on the observation that if 75,000 real women had their government IDs exposed, at least one would likely post about being targeted by trolls. The absence of widespread victim testimonies is cited as suspicious. However, this remains unverified speculation. The IDs circulating online appear to be real, and generating synthetic government ID images at scale to fool observers would itself be a sophisticated and costly operation.