The cybersecurity breach of the Tea data app last week continues to snowball, with company executives saying that they’ve discovered that 1.1 million direct messages were accessed by the unknown attackers and that “out of an abundance of caution,” they were taking the affected system offline.

“At this time, we have found no evidence of access to other parts of our environment,” they wrote in an update to the investigation both on the website and on social media accounts. The DM feature also was shut down temporarily.

The app, which reportedly has about 1.6 million users, offers women a place to securely discuss and share reviews of men they date. Among the safety features was the initial requirement that members can access the site only after confirming their identity with a government-issued ID and a photo. The ID requirement was discontinued in 2023, the executives wrote.

In their initial statement about the data breach, the executives said they detected unauthorized access to Tea’s systems on July 25. An investigation found that a storage system holding legacy data from before February 2024 had been compromised, giving hackers access to a dataset that included about 72,000 images – among them 13,000 selfies and the photo identification they submitted when verifying their Tea accounts – and about 59,000 images that could be viewed in the app via posts, comments and direct messages.

There were no email address or phone numbers access, and the stolen data pertained to those users who had signed by before February 2024.

The Attack Gets Worse

However, an independent security researcher told news site 404 Media that a second Tea database had been compromised, exposing 1.1 million private messages that includes discussions about abortions, cheating partners, and phone numbers.

The researcher, Kasra Rahjerdi, said that the messages in the database span from 2023 to last week, and that any bad actor could access the data and send push notifications using their own API key. 404 Media said it could identify users from social media profiles, phone numbers, and personal details found in the messages.

Tea executives didn’t address many details of the second database.

The Initial Hit

When writing about the compromise uncovered last week, they wrote that “during our early stages of development some legacy content was not migrated into our new fortified system,” they wrote. “An unauthorized actor accessed our identifier link where data was stored before February 24, 2024. As we grew our community, we migrated to a more robust and secure solution which has rendered that any new users from February 2024 until now were not connected to the images involved in this incident.”

An anonymous poster on July 25 an wrote on the 4chan site that the company stored the drivers’ licenses and photos used for verification as well as sent in comments in an unsecured Firebase cloud storage bucket.

The Tea app is number two on the list on Apple’s App Store of free apps.

The Conflict Between Business and Security

The data breach at Tea is an example of an environment where companies at times will run apps out to the public pull in subscribers and grow their churn metrics while not giving enough attention to security and privacy, according to Ted Miracco, CEO of Approov, which offers a runtime security solution for mobile apps and their APIs.

“Tea app users should be concerned, but it goes beyond Tea, as all mobile app users should be concerned,” Miracco said. “The breach of verified selfies and ID images reflects a much broader industry problem. Many users believe that downloading an app from the Apple App Store or Google Play Store means it has passed rigorous security and privacy checks.”

However, the platforms rely on cursory scans focused on policy violations, he said, adding that they don’t tend to inspect backend APIs, enforce privacy configurations, or audit how sensitive data is handled.

“This incident should be a wake-up call to users and app developers,” Miracco said. “App developers are burdened with high marketplace fees and limited access to advanced security tooling, while users are lulled into a false sense of security. When mobile apps collect and transmit sensitive personal information like photos, IDs, biometrics, and location without proper safeguards like encrypted transport, runtime attestation, and strict access controls, everyone is at risk.”