Tea said it “identified unauthorised access” to its systems on Friday 25th.
The women’s dating app Tea has said that a security breach compromised "a legacy data storage system" storing over 100,000 images.
In a statement, Tea said it “identified unauthorised access” to its systems on Friday 25th and immediately launched a full investigation. This determined that a legacy data storage system was compromised, resulting in unauthorised access to a dataset from prior to February 2024.
This dataset includes approximately 72,000 images, including approximately 13,000 selfies and photo identification submitted by users during account verification, and approximately 59,000 images publicly viewable in the app from posts, comments and direct messages.
Also only users who signed up before February 2024 were affected. Tea said the information was stored in accordance with law enforcement requirements related to cyber-bullying investigations, and it is currently working to determine the full nature and scope of information involved in the incident.
Safe Space
According to media reports, the Tea app is intended to create a safe space for women to share information about their dates online, allowing women to “spill Tea” about their dates and expose things such as infidelity.
A thread posted on the 4Chan message board of 4Chan on July 24th allegedly called for a “hack and leak” campaign, according to NBC News.
"Tea ensures that women have the information they need before meeting someone new," the company says on its website. More than 1.7 million women have used the app, the company says.
Kevin Marriott, senior manager of cyber and head of SecOps at Immersive, said: “As a dating app that has described itself as offering “dating safety for women,” users would have expected it to keep personal data and images secure.
“Legacy infrastructure is often a challenge for organisations, and the failure of the company to immediately delete images will further fuel concerns around the Online Safety Bill and the requirement to upload personally identifiable information. Breaches such as these, where the images that were taken are part of a dataset that customers were assured were not retained, can clearly damage trust between users and the company.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
