The Tea Dating App Breach and the Quest for Safer Online Platforms

The past year has seen some of the largest and most complex cyber attacks and data breaches in history and people are increasingly concerned about how to protect themselves. The yearslong Salt Typhoon hack, led by state-sponsored Chinese threat actors, is thought to have targeted “more than 80 countries,” and may have “stolen information from nearly every American,” according to The New York Times. Data breaches at Coca-Cola, Coinbase, Adidas, AT&T and Mark & Spencer punctuate a tumultuous year in data security. Political attacks by hacktivists are also making a “dramatic return,” according to one researcher.

Yet one of the most unsettling data breaches this year was the Tea Dating Advice data breach, which underscores the dwindling amount of safe spaces online.

Among “dating safety” apps, which offer users enhanced security and screening services, the women-only platform better known as Tea is one of the most popular. The US-based app has over 6 million users who can use it to check their potential partner’s criminal history, whether they are a sex offender and help determine if they are a “catfish,” or somebody with a fake profile.

On July 25, Tea Dating Advice’s data storage was compromised when 72,000 private images were accessed by an unauthorized entity. The leaked data included selfies, photo IDs and various images from users’ posts on the app. To make matters worse, the discovery that the breach took place due to an exposed dataset suggests that it could have been prevented if Tea’s legacy cloud storage system had been properly configured. Shortly after Tea’s incident, its male counterpart Tea on Her, also had a data breach.

Tea already had its share of fans and critics before the breach. Glamour magazine featured Tea as “Best for: Women 18–65 who want to prioritize safe dating”, describing it as a platform “built on trust,” noting they give 10 percent of their profits to the National Domestic Violence Hotline, authorized in 1994 after the Violence Against Women Act (VAWA) law was enacted. Some influencers and anti-domestic abuse advocates had rallied behind Tea. “Really Rayven,” a TikTok influencer who advocates for abuse survivors, told her followers in a December post: “I would love to refer you to Tea because I’m going to be slowly inputting everybody from my experience onto that app and I encourage you to do so.”

Nevertheless, there were reservations circulating about women congregating online to “spill the tea” on prospective suitors. ABC News contributor Mike Muse questioned whether Tea’s use of facial recognition technologies could “peg the wrong person,” or validate a wrongful accusation of an individual before they had “their full day in court.” Some critics suggested Tea was “fueling a gender war”, questioning if it was blatantly “anti-male” and being leveraged unethically as a tool for revenge. Negative reactions to Tea called attention to partisan views and disagreements about gender that have seen young men and women’s political views sharply split in elections across North America, Europe and Asia.

The Tea breach happened at the same time that dating sites generally have seen a decline in usership, with as many as 49% of Americans viewing them as “not too safe.”

The Tea app was meant to be a safe haven. Sean Cook, its founder, grew up in Philadelphia and experienced his mother’s challenges with online dating, inspiring him to build a dating safety app for women. “I was shocked by how easy it was for catfish, scammers and criminals to take advantage of women on dating apps and how little traditional dating apps do to protect users,” described Cook in an interview in May, not long before Tea was breached.

With mounting concerns about malicious hacks and online safety, Tea is joined by a new generation of tech hoping to create more safety and privacy. Apps like Tea, SafeDate (which notifies your “SafeMates” about dating plans) and a variety of encrypted communication apps like Signal and Discord, are growing in popularity just as online scams and cyber attacks have impacted nearly three quarters of American adults.

Virtual private networks (VPNs), which encrypt connections over the internet from a device to a network, have seen users in the United Kingdom flock to Proton VPN, and an uptick among American VPN users seeking to protect their online activities and IP addresses. The Tor Project, which has been fighting for people’s digital rights since the early 2000s, recently announced an early-access release of their VPN. Some people, looking for an entirely off-grid solution, have turned to Meshtastic, which utilizes long range radio (LoRa) nodes without the use of cellular service or WiFi, and is a promising backup communication system. “I could see a point where almost every home has a Meshtastic device,” Jason Opdyke, the founder of Rokland Technologies, shared in our interview.

The privacy preserving technology market is also predicted to grow significantly in coming years, and privacy enhancing technologies (PETs) have grown in familiarity despite some common concerns. PETs can be counterintuitive because they undermine the implementation of more comprehensive data protection legislation. PETs can also be expensive to build, and rushed design and deployment can result in security risks like data breaches.

Some companies have overpromised their end-to-end encryption capabilities, which for example, led to a settlement between the Federal Trade Commission and Zoom Video Communications, Inc., in which Zoom agreed to establish a more comprehensive security program. Education and awareness is still lacking about PETs, and organizations need more “guidance on how PETs should be used and what they can help achieve,” according to the Centre for Information Policy Leadership.

Missteps have also plunged privacy enhancing technologies into public view. Defense Secretary Pete Hegseth’s questionable use of Signal, a.k.a. SignalGate, led to a spike in Signal downloads.

Despite their data breach and looming legal troubles, Tea continues to hold second place among lifestyle apps in Apple’s App Store. Tea Dating Advice’s breach is embedded in a much larger internet safety problem that simultaneously complicates privacy and autonomy online.

Many users are searching for a safe, secure, private experience, even as our life increasingly becomes digitized, tracked and used as training data. This suggests the urgency of building platforms which are secure-and-private-by-design.

“Think about privacy not as a feature but as a design choice,” remarked Pavel Zoneff, the spokesperson for the Tor Project, in an interview. “So much of the technology we use is centralized–concentrated in the hands of a few powerful companies and dependent on proprietary systems that users have no control over. This is a pattern that we need to break out of.”