The Tea app, marketed as a secure platform for women to share dating experiences and warnings about men, has suffered a significant escalation in its data security woes. What began as a breach exposing user photos and identification documents has now expanded to include private conversations, raising alarms about the app’s underlying vulnerabilities. According to a report from BleepingComputer, hackers have accessed and leaked a second database containing over 1.1 million private messages, amplifying risks for the app’s predominantly female user base.

The initial breach, reported last week, involved the theft of approximately 72,000 images, including selfies and government-issued IDs used for verification. This data, stored in a legacy system dating back more than two years, was posted on notorious online forums like 4chan, prompting swift backlash. As detailed in coverage from NBC News, the leak not only compromised personal privacy but also exposed users to potential harassment, identity theft, and doxxing, especially given the app’s focus on sensitive topics like relationships and personal safety.

Escalation to Private Chats: A Deeper Intrusion

The situation deteriorated further when cybersecurity researcher Kevin Beaumont identified an additional unsecured database. This second exposure, as outlined in the BleepingComputer analysis, revealed a trove of user chats, including discussions about abortions, cheating, and other intimate matters. Hackers, operating under the alias “emo,” claimed responsibility and began distributing the data on BreachForums, a site known for trading stolen information.

Experts note that the database was left exposed without password protection, a basic security lapse that allowed easy access via simple scanning tools. Beaumont’s findings, shared on social media and corroborated by Mashable, highlight how the app’s rapid growth—vaulting it to the top of app store charts—may have outpaced its infrastructure safeguards, leaving user data vulnerable to opportunistic attackers.

Company Response and User Fallout

Tea Inc. responded by securing the exposed servers and notifying affected users, but the damage was already done. In statements reported by CNN Business, company executives downplayed the breach as involving outdated data, yet the inclusion of recent messages in the second leak contradicts this narrative. Cybersecurity insiders criticize the app for not implementing robust encryption or access controls, pointing to a pattern seen in other viral social platforms.

For users, the implications are profound: leaked chats could lead to real-world harm, including stalking or reputational damage. As Lifehacker explored, women who joined Tea for a “safe space” now face betrayal, with some deleting accounts en masse. Industry analysts warn this could erode trust in gender-specific apps, pushing developers toward stricter compliance with regulations like GDPR.

Broader Lessons for App Security

This incident underscores systemic issues in the tech sector, where innovation often trumps security. Drawing from 404 Media‘s investigative piece, the breach reveals how unpatched legacy systems become liabilities as apps scale. Regulators may increase scrutiny, demanding audits for user data handling.

Ultimately, the Tea app saga serves as a cautionary tale for startups: prioritizing privacy isn’t optional. As breaches become more common, companies must invest in proactive defenses to protect vulnerable communities, or risk not just data loss, but the very trust that sustains them.