We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Tea App Leaks User Data, Including 72K Photos

Tea App Leaks User Data, Including 72K Photos
Hendrik Human Published on July 31, 2025 Cybersecurity Researcher

Tea, a viral dating advice app, suffered a major data leak, exposing 72,000 user images as well as direct messages. According to reports, the app itself left a Firebase storage bucket publicly accessible, with no authentication, encryption, or access controls — meaning anyone with the URL could access all the data.

Tea had already drawn scrutiny for potentially violating the privacy of the men talked about on the site, as well as the risk of it being used as a "man‑shaming" or vigilante‑justice platform.

In its marketing, the app claims to help women spot “red flags,” get anonymous advice, run background checks, and conduct sex offender searches. However, it also allows users to share actual pictures of men as well as divulge their personal information.

Now, in a span of just a week, the app has been the subject of at least two leaks. The breach first came to light when users from the 4chan forum started posting about an exposed database hosted on Firebase. Immediately, others started pilfering through the data, publicly posting photos, message contents, and more on the internet.

As one 4chan user put it, “Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It's a public bucket.”

Claiming to have over 4 million users, Tea briefly hit the #1 downloaded free app on the Apple App Store and had over 100,000 downloads on the Google Play Store. While it remains online, a spokesperson told CBS MoneyWatch that "Out of an abundance of caution, we have taken the affected system offline."

Tea also told 404 Media that it’s launching a “full investigation” into the matter with the help of a third-party cybersecurity firm and law enforcement.

Of the 72,000 images, roughly 13,000 were of selfies or photo identification used for account verification (such as driver’s licenses). The balance was derived from direct messages or posts and comments that were publicly viewable on the app. 404 Media also reported that hackers may now have access to 1.1 million messages, some of which are from recent conversations regarding sensitive topics such as infidelity, abortion, and personal contact details.

The incident exposes the risks of using apps that collect a broad range of sensitive data and require extensive permissions, especially in light of new photo-ID verification requirements like those in the UK. While it didn’t play a role in this incident, mobile apps are also being increasingly used to spread malware, heightening the need for caution.

About the Author

Hendrik is a writer at vpnMentor, specializing in VPN comparisons and user guides. With 5+ years of experience as a tech and cybersecurity writer, plus a background in corporate IT, he brings a variety of perspectives to test VPN services and analyze how they address the needs of different users.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

This field must contain more than 50 characters

The field content should not exceed 1000 letters

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Special characters are not allowed in the Name field

Please enter a valid email address