The women-only dating safety app Tea, which was developed as a secure platform for women to verify, report, and discuss experiences with potential dates, has come under scrutiny following a massive security breach. Designed to empower users by enabling background checks, reverse image searches, and anonymous reporting of “red flags,” Tea had become increasingly popular—garnering millions of downloads and active users. However, the platform’s promise of privacy and safety was shattered when cybercriminals accessed and leaked tens of thousands of sensitive user images, including selfies and government identification documents used for verification. The breach affected individuals who joined before February 2024, exposing deeply personal content that had been entrusted to the app under the assurance of confidentiality.

What initially appeared to be a single incident quickly escalated when researchers discovered that a separate database containing more than 1.1 million direct user messages had also been compromised. These messages, which covered highly sensitive topics such as infidelity, abortion, personal traumas, and included phone numbers and details for offline meetups, were accessible to unauthorized parties due to weak security permissions and misconfigured APIs. The platform’s vulnerabilities allowed for extensive scraping of both new and historical user data from as early as early 2023. This second breach further eroded trust in the app, with many users expressing outrage and concern about how private their communications ever truly were.

As news of these security lapses spread, Tea’s corporate leadership announced the immediate suspension of its core messaging feature “out of an abundance of caution.” The company stated that this decision was a direct response to the breaches and was necessary to protect users while a comprehensive cybersecurity investigation unfolds. Notably, external cybersecurity experts and the FBI are now involved in the ongoing investigation, underscoring the seriousness of the incident and its potential for federal legal consequences. Tea has also begun notifying affected users and is offering free identity protection services as part of their remediation efforts.

Reactions from the cybersecurity community have been harsh, with experts lambasting Tea for its insufficient safeguards given the sensitive nature of its data. Critics argue that companies offering so-called “safe spaces” must anticipate and guard against intense scrutiny, as doing otherwise can leave vulnerable populations even more exposed. The events serve as a sobering reminder that digital platforms handling intimate, personal information must prioritize robust, proactive security measures—and that consumers should remain cautious about sharing sensitive information, even in spaces that claim to be secure.