A few days after Tea Dating Advice discovered unauthorized access to one of its systems that leaked 72,000 user images, the popular mobile app faced a second issue involving a separate database, as a researcher reported to 404Media that they were able to access private conversations.
Tea Dating Advice, or just Tea for short, aims to provide a space for women to exchange information about men they know, have met, or dated in the past. The app seeks to provide a platform for people to share relevant information about, say, potentially abusive partners, and it claims to have more than 1.6 million users. After approving a new user, the system allows them to search for men by name, find people they know, and leave comments about them. Theoretically, men can’t access the app, so they have no recourse if they’re drowning in red flags and warnings on Tea.
The set of leaked images includes 13,000 selfies and photo IDs submitted for account verification including driver license photos, as well as 59,000 images from posts, comments, and direct messages.
While Tea acknowledged that a data breach occurred on a legacy data storage system, resulting in unauthorized access to a dataset from prior to February 2024, this is a completely different breach, and even worse for those involved. The researcher was able to see over a million private messages, stretching from early 2023 up until last week.
Kasra Rahjerdi, the researcher who flagged the issue, provided a database of more than 1.1 million messages to prove his findings. With the content of these messages at hand, it was trivial to find social media profiles, telephone numbers, and the real-world identities of most users.
They found messages from women discussing abortions, cheating partners, and other sensitive info.
One internet forum, 4chan, openly shared the images exposed in the first breach, but Rahjerdi informed only Tea and 404Media about his latest work, providing enough information to confirm their findings. But there is no way of knowing whether others used the same method to access Tea’s private messages.
Aside from how you might feel about the Tea app, its purpose, the users, and those intent on destroying it, the developers could have anticipated the scrutiny and attacks on their infrastructure. Leaks happen everywhere, but sensitive data should not be stored unencrypted. And, while Tea claims to donate 10% of it profits to the National Domestic Violence Hotline, the company still has a responsibility of safety (through cybersecurity) to its own users.
A Tea app spokesperson limited their statement to:
“We have engaged third-party cybersecurity experts and are working around the clock to secure our systems. At this time, we have implemented additional security measures and have fixed the data issue.”
Tea Dating Advice users will have to be vigilant since phishing attacks banking on these incidents might occur.
Protecting yourself after a data breach
While there are no indications that this database was found by cybercriminals before it was secured, it might have been. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
- Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
- Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
- Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
