“A legacy data storage system was compromised, resulting in unauthorized access to a dataset from prior to February 2024.
“This dataset includes approximately 72,000 images, including approximately 13,000 selfies and photo identification submitted by users during account verification, and approximately 59,000 images publicly viewable in the app from posts, comments, and direct messages.”
Tea aims to “revolutionize dating safety” for women by providing them with necessary tools, insights, and community, according to the company, which said the app has more than 4.64 million users.
“With features like Reverse Image Search to catch catfish, Phone Number Lookup to check for hidden marriages, and Background Checks to uncover criminal records, Tea ensures that women have the information they need before meeting someone new,” the company said.
Tea clarified that no email addresses or phone numbers were stolen in the breach and said only users who signed up for the app before February 2024 were affected.
In its statement, Tea said the selfies were archived to comply with law enforcement requirements related to preventing cyberbullying.
“At this time, we have no evidence to suggest that photos can be linked to specific users within the app,” the company said.
Guessing the Location of Users
The app initially required selfies and IDs during registration to ensure that only women were signing up for the app, Tea said, noting that the ID requirement was removed in 2023.According to Tea, during the early stages of developing the app, some of the legacy content was not migrated into the newer and more secure system. The hacker was able to access a link where this data was stored.
“We have engaged third-party cybersecurity experts and are working around the clock to secure our systems,“ the company said. ”At this time, we have implemented additional security measures and have fixed the data issue. We are currently working to determine the full nature and scope of information involved in the incident.”
Many of the apps in the analysis “routinely expose personal data to other users,” the study reads.
“While users may feel compelled to share such data, there is a particular risk when APIs leak data hidden in the [user interface] as well as exact user locations, as users will not be aware that they are sharing this data, which can lead to additional harm,” it reads.
“Additionally, the apps’ privacy policies generally fail to inform users about these privacy threats and leave the burden of protecting personal (sensitive) data to the users.”
Ashley Madison settled the case by paying $1.6 million and agreed to implement robust data security practices.







