Top app spills Tea—and user verification IDs

Tea—which allows women to anonymously review men they date—is (as of this writing) the number one app in the App Store. Now, 404 Media has confirmed a massive breach of identity verification data belonging to women using the app. It appears the location in which this data was stored was not secured whatsoever. This is a stark reminder that users don’t always understand the enormous risk that comes with age and identity verification online.

Women who download the Tea app can search for men, find their background checks, read user reviews, and use other suggested features to help keep them safe. The app advertises that women using the platform remain anonymous—a particularly important feature, as some users may have faced harm or abuse in the past and want a higher level of certainty in future partners.

This makes the confirmed breach of “72,000 images (13,000 selfies and photo IDs, and 59,000 images from app posts and direct messages)” even more concerning. A post on 4chan originally exposed the existence of the breach, after which 404 Media investigated. The Tea app later confirmed the breach to the publication, which was able to verify some details described in the 4chan post—including that Tea uses the same Firebase (app development platform) bucket cited by the poster. However, 404 Media reported that they didn’t load any images from that database.

The Tea app requires a photo selfie and photo ID in order to register. The app’s privacy policy explains that user selfies for verification are “securely processed and stored only temporarily and will be deleted immediately following the completion of the verification process.” According to Tea, the 13,000 breached images were from users verifying their ages many months ago, which means they violated their own policies.

The company told 404 Media that “[t]his data was originally stored in compliance with law enforcement requirements related to cyber-bullying prevention,” and that they are working to investigate and remedy the situation. However, if the original post about the breach is correct, it would appear the images were stored without any level of security. As the now-deleted original 4chan post stated, “[y]es, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It’s a public bucket.”

This incident serves as another harsh reality check that efforts to mandate age and identity verification online can pose significant risks to user privacy, regardless of claims that providers like Tea make about how your data is handled. The age verifier for many top tech companies experienced a similar breach last year. These breaches aren’t flukes—they’re an inevitability. The fact that it happened to what is currently the top app in the App Store serves as a warning to users, developers, and legislators.

Security is dependent on norms. Understanding how to spot a phishing email, not to share one’s two-factor authentication code, or how to recognize a scam call are all examples of norms that bolster security. Yet when people are increasingly encouraged to share their most sensitive information—photo IDs, Social Security numbers, face scans—across websites and apps, they begin to feel comfortable doing so. Offering up sensitive data could become a reflexive act like agreeing to terms of service documents. However, people cannot be sure how this data will be stored and used. In this case, Tea could not have been adhering to its privacy policy regarding data storage, which before now might have assuaged the fears of people concerned about how their information might be stored or used. While some companies may store and use sensitive data in safer ways, users don’t have the ability to vet this. And even companies with better security practices can face hacks.

Age and identity verification come with inevitable security risks. This is just the latest example of shoddy security practices that will lead to increased identity theft and fraud. Laws mandating that IDs and face scans be uploaded to more sites and apps will only cause more problems.