Users from 4chan claim to have discovered an exposed database hosted on Google’s mobile app development platform, Firebase, belonging to the newly popular women’s dating safety app Tea. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media.
Tea, which claims to have more than 1.6 million users, reached the top of the App Store charts this week and has tens of thousands of reviews there. The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie.
“Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It’s a public bucket,” a post on 4chan providing details of the vulnerability reads. “DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!”
The thread says the issue was an exposed database that allowed anyone to access the material. While reporting this story, a URL the 4chan user posted included a voluminous list of specific attachments associated with the Tea app. 404 Media saw this list of files. In the last hour or so, that page was locked down, and now returns a “Permission denied” error.
404 Media verified that Tea does contain the same storage bucket URL that 4chan claims was related to the exposure. 404 Media did this by downloading a copy of the Android version of the app and decompiling its code.
The 4chan post includes a photo of four women’s drivers’ licenses that the 4chan user said they redacted. But comments in the 4chan thread indicate that many more photos of Tea users have been exposed, with one person claiming they have downloaded thousands. We’ve also seen 4chan users share dozens of photos of women they claim they downloaded from the database, which all share the same image dimensions and file naming format we saw in the file list in the exposed Google Firebase bucket. 404 Media did not load any images from the database itself.
The source who flagged the 4chan thread about the Tea data to us said he attempted to flag the breach to Google before he reached out to 404 Media.
The original thread is no longer available on 4chan itself but 404 Media reviewed multiple archives of the page and another 4chan thread about the hack that was still live at the time of writing.
“The images in the bucket are raw and uncensored,” the user wrote. Multiple users have created scripts to automate the process of collecting peoples’ personal information from the exposed database, according to other posts in the thread and copies of the scripts.
In its terms of use, Tea says “When you first create a Tea account, we ask that you register by creating a username and including your location, birth date, photo and ID photo.”
Tea launched back in 2023 but this week skyrocketed to the top of the U.S. Apple App Store, Business Insider reported. The app lets women anonymously post photos of men, along with stories of their alleged experience with them, and ask others for input. It has some similarities to the ‘Are We Dating The Same Guy?’ Facebook groups that 404 Media previously covered.
“Are we dating the same guy? Ask our anonymous community of women to make sure your date is safe, not a catfish, and not in a relationship,” the app’s page on the both the Apple App Store and Google Play Store reads.
When creating an account, users are required to upload a selfie, which Tea says it uses to determine whether the user is a woman or not. In our own tests, after uploading a selfie the app may say a user is put into a waitlist for verification that can last 17 hours, suggesting many people are trying to sign up at the moment.
Tea did not respond to a request for comment. Sean Cook, the company’s founder, did not respond to a LinkedIn message or a voicemail.
404 Media previously reported on a security issue at an identity verification service for TikTok, Uber, and X exposed peoples’ drivers’ licenses.
