Dating App That Lets Women 'Rate' Men Hits Number 1 on the App Store, Immediately Suffers Data Breach

Tea, an app that lets women “rate” and “review” the men in their lives, has been on a hot streak lately, having shot to the top of the App Store and enjoyed several recent write-ups in major media outlets. Unfortunately, the app has now disclosed a data breach involving self-submitted user images. One report cites claims that some of the data has been shared on 4chan, the incel-ridden internet backwater best known for helping to spawn the QAnon conspiracy theory.

404 Media first reported on the data breach, writing that users from 4chan “claim to have discovered an exposed [Tea] database hosted on Google’s mobile app development platform, Firebase.” The notorious site’s resident trolls bragged that they were parsing personal data and selfies from the app’s internal databases.

404 attempted to verify the claims made on the site. “While reporting this story, a URL the 4chan user posted included a voluminous list of specific attachments associated with the Tea app,” the outlet wrote. While the files were initially viewable, the page now gives an error and 404 says that it “verified that Tea does contain the same storage bucket URL that 4chan claims was related to the exposure.” Gizmodo has not been able to independently verify this reporting.

On Friday, Tea confirmed to Gizmodo that a data breach had occurred. “We can confirm that at 6:44 AM PST on Friday, July 25th, Tea identified unauthorized access to one of our systems and immediately launched a full investigation to assess the scope and impact,” a PR representative shared. The breach partially involved selfies submitted to the app for verification purposes, they said:

Preliminary findings indicate that the incident involved a legacy data storage system containing information from over two years ago. Approximately 72,000 images – including approximately 13,000 images of selfies and photo identification submitted during account verification and 59,000 images publicly viewable in the app from posts, comments and direct messages – were accessed without authorization.

The spokesperson told Gizmodo that the company has seen no evidence “that current or additional user data was affected.” Ironically, Tea has also said that the information in question was “originally stored in compliance with law enforcement requirements related to cyberbullying prevention.” Gizmodo further inquired about 4chan’s supposed role in the incident; we’ll update this post when we receive a reply.

Tea dubs itself a “women’s safety app” and allows its users to anonymously post pictures and the real names of the men they’ve dated, with appended criticisms and concerns. While the goal of giving women a way to vet their dates is ostensibly an honorable one, the Washington Post points out that Tea “doesn’t limit its feedback to safety concerns,” and that criticism is also frequently aimed at men’s appearance or the way a specific relationship came to an end. Arguably, that would make it the perfect target for the internet’s most disgruntled and misogynistic hordes.

More to the point, any time you share personal information with an app, you’re just asking for that information to be shared with the rest of the world. The internet—in particular the app industry—is a deeply insecure place, governed as it is by male egos and burned-out coders.