The top app spills Tea—and user verification IDs

This analysis is in response to breaking news and it will be updated. Please contact pr@rstreet.org to speak with the author.

Tea—which allows women to anonymously review men they date—is the number one app in the App Store. Now, 404 Media has confirmed a massive breach of identity verification data belonging to women using the app. It appears the location in which this was stored was not secured whatsoever. This is a stark reminder that users don’t always understand the enormous risk that comes with verifying age and identity verification online.

Women can download the Tea app and search for men, find their background checks, user reviews, and can use other features the app suggests can help keep the women using it safe. The app advertises that women using the platform remain anonymous—a particularly important feature, as presumably some women who desire such deep research on potential romantic partners may have faced harm or abuse from partners in the past and want a higher level of certainty in future partners.

This makes the confirmed breach of “72,000 images (13,000 selfies and photo IDs, and 59,000 images from app posts and direct messages)” even more concerning. A post on 4chan originally exposed the existence of the breach, after which 404 Media investigated. The Tea app later confirmed the breach to the publication. 404 Media was also able to verify some details of the breach as originally described in the 4chan post—including that the Tea uses the same Firebase (app development platform) bucket that the 4chan user cited. But 404 Media reported that they did not load any images from that database.

The Tea app requires a photo selfie and photo ID in order to register. The app’s privacy policy explains that user selfies for verification are “securely processed and stored only temporarily and will be deleted immediately following the completion of the verification process.” It is entirely possible that the 13,000 breached images were from newer users who were not yet verified, but unclear if that is the case.

The company told 404 Media that “[t]his data was originally stored in compliance with law enforcement requirements related to cyber-bullying prevention,” and that they are working to investigate and remedy the situation. However, if the original post about the breach is correct, it would appear that the images were stored without any level of security. As the now-deleted original 4chan post stated, “[y]es, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It’s a public bucket.”

This incident ought to serve as another stark reminder that efforts to mandate age and identity verification online can pose significant risks to user privacy, regardless of the claims that providers like Tea make about how your data is handled. Last year, the age verifier for many top tech companies was breached in a similar way. These breaches are not flukes, they are an inevitability. The fact that it has happened to what is currently the top app in the App Store serves as a warning to users, developers, and legislators.

Security is dependent in no small part on norms. Understanding how to spot a phishing email, not to share one’s two-factor authentication code, or how to recognize a scam call are all examples of norms that bolster security. Yet when people are increasingly encouraged to share their most sensitive information—photo IDs, Social Security numbers, face scans—across websites and apps, they will begin to feel comfortable doing so. Offering up sensitive data could become a reflexive act like agreeing to terms of service documents. However, people cannot be sure how this data will be stored and used. In this case, Tea could not have been adhering to its privacy policy regarding its data storage, which before now might have assuaged fears of people concerned how their information might be stored or used. Some companies may store and use sensitive data in safer ways, but users do not have the ability to vet this. Even companies using better security practices can face hacks.

Age and identity verification come with inevitable security risks. This is just the latest example of shoddy security practices that will lead to people facing increased identity theft and fraud. Laws that mandate IDs and face scans are uploaded to more sites will cause more of this.