Spilled Tea or Leaked Cybersecurity?

July 28th, 2025
Elisa Ma

In today’s world, it isn’t easy to tell what is considered a “red flag” or warning sign. Ironically, the Tea app, a place where women can anonymously spill the red flags on men they have dated, proved to have a few cryptic red flags of its own. On July 25, an official statement from the company confirmed that a data breach leaked approximately 72,000 user images (about 13,000 verification selfies and government ID photos). 4chan and X users have supposedly also uncovered location information and databases of user images.

The Tea (Tea Dating Advice) App

The San Francisco-based app was publicly launched in 2023 with a mission of protecting women by being a “dating safety platform,” a niche unfulfilled by traditional dating apps. Aside from postings and chats, the app also allows for Reverse Image Search, Phone Number Lookup and Background Checks. The company claims to commit 10% of its profits to the National Domestic Violence Hotline, in line with the fears of violence that are a major driving factor in getting women to use the app.

In July 2025, the Tea app reached over 4 million downloads and was the #1 free app in the US Apple App Store, surpassing ChatGPT and Threads.

Privacy Concerns

Yet there cannot be a protected space without some barriers to entry. To confirm a user’s gender as female, the app required that users take a selfie or provide photo identification. Although the app claimed that these authentication photos would be deleted, a leak proved otherwise. After these authentication photos were compromised, women have already been subject to harassment and personal safety threats on online discussion platforms.

Men—whose photos and information were shared on the app—have raised concerns over their privacy and the legitimacy of reviews. Without any safeguards against defamation, some have dubbed the app “anti-men,” as what happens in the event of misinformation is murky. Section 230 of the Communications Decency Act of 1996 holds users, not apps or platforms, responsible for malicious content posted. However, state laws vary on whether online interactions fall under stalking laws.

Cybersecurity

The Tea app’s leak compromised data from its “legacy storage system,” which continued outdated code, explaining why targeted data is of users who signed up before February 2024. More negligently, the leaked data was stored in a public bucket, meaning the data lacked encryption or authentication checks.

Conclusion

As more apps adopt facial identification technology, privacy and security need to be at the center of attention. As cybersecurity threats grow, it is apparent that dismissed “red flags” must be taken as real warning calls.

Read more here:

Extemp Analysis by: Ty Tan

Question: What does the Tea App incident signal for the future of American cybersecurity?

AGD: A narrative here about someone, male or female, who’s had their privacy threatened as a result of the Tea App data breach would be good.

Background: In the background, a few key things need to covered

What is the state of American cyber privacy and security
What the Tea App incident did and the data breached
A future where cyber privacy and security now matters more than ever as a priority

Answer: A future of reform and strengthening cybersecurity (any thesis works, just an indication that the events of the Tea data breach will signal that its time for change)

Revealing Inadequate Data Protection Practices
Concerns over Identity Verfication Technology
Recognizing Reactive vs Proactive Cybersecurity Practices

Analysis + Concluding Thoughts

I am not the most informed on cybersecurity law, but the Tea app breach seemingly demonstrates a need to strenghten security. For the 1st point, you would discuss the general inadequaecies in Tea in allowing data to be leaked and open source to an extent. The 2nd point would discuss a need in guranteeing id verification data photos, as they pose a risk to cyber privacy. The last point would go over how the industry standard is reaction over proactive cybersecurity development, demanding the government seek ways to reform and require cybersecurity before data is collected.