An app designed to help women spot the “red flags” of men they date has incidentally put its users at risk. 404 Media reported that Tea was hacked by 4chan users last week, resulting in the selfies and driver’s licenses of its mostly women users being posted to 4chan. An independent researcher for 404 Media has since discovered that messages between users discussing infidelity, abortion, and personal phone numbers are also vulnerable to hackers.

Tea was founded by software developer Sean Cook, who said he was inspired to create an anonymous whisper network after witnessing his own mother’s “terrifying” dating experiences with men. It was also heavily influenced by the rise of “Are We Dating The Same Guy” Facebook groups and operates in a similar paradigm of sounding anecdotal alarms about men people have dated. The app surged in popularity to the top spot on Apple’s App Store last week. Tea claims to have more than 4 million active users.

On July 25th, 72,000 images — including 13,000 selfies and driver’s licenses, as well as another 59,000 images, that were published on the app — were breached, with many downloaded and posted publicly on 4chan. 4chan users initially posted images of four women’s driver’s licenses, redacting some personal information, but the firestorm of comments in the thread suggested that thousands of images were downloaded before the company was aware of the breach. Tea told 404 Media that it had launched “a full investigation with assistance from external cybersecurity firms,” and that it was working with law enforcement “to assist” in their investigation.

Tea was storing its users’ sensitive information on Firebase, a Google-owned backend cloud storage and computing service. Since 2023, Tea no longer requires users to send in photos of their IDs for verification purposes. While the company initially insisted that the hack only affected its “legacy” database and users who signed up before February 2024, according to the independent researcher and data trove reviewed by 404 Media, Tea remains unsafe, way beyond the scope of the original hack, and private messages sent as late as last week are accessible and vulnerable to further exposure.

Since Tea’s surge in use among women, it’s drawn more incensed criticism and ire among so-called “men’s rights” groups online.

Men who discovered they appeared on the app have called it a “toxic” network. Some are going viral on TikTok and X, claiming that the assertions made about them are defamatory and wholly untrue. “The issue is that people (women especially) won’t see this as an issue until the male version of the app is created. I deserve to know my date’s STD history, body count, etc.,” reads a top-rated comment on a thread in the subreddit r/MensRights. A retaliatory app featuring women was created shortly thereafter, called Teaborn, but it was promptly taken down after reports of users posting revenge porn.

Several cybersecurity and data privacy experts have called Tea’s storage methods, which led to the initial hack, downright negligent.

“This data was originally stored in compliance with law enforcement requirements related to cyber-bullying prevention,” the company initially claimed in the statement provided to 404 Media.

Peter Dordal, a professor of online networks and security at Loyola University in Chicago, told The Verge that he believes the company’s statement — that it was in compliance with the law — is “misleading,” and that the company could have done more to prevent this cybersecurity nightmare. “[The statement] is misleading on two counts: first of all, law enforcement doesn’t set requirements; that’s the job of Congress and state legislatures. Tea didn’t cite the actual legal requirement,” Dordal said. “Second, if there was a legitimate legal need to retain these images, they shouldn’t have been accessible online at all; they are clearly not needed for ordinary site activity.”

Dordal added that while it’s commonplace for user data to be stored in the cloud, Tea should have taken measures to ensure that it could not be accessed by the public. Tea’s terms and conditions also claim it deletes user data after verification, which it has apparently failed to do.

“Tea definitely had negligent security practices if the current reporting is true,” said Grant Ho, an assistant professor at the University of Chicago who researches computer security. “A company should never host users’ private data on a publicly accessible server, and, at a minimum, the data should’ve been stored encrypted.”

Andrew Guthrie Ferguson, a law professor at George Washington University and expert in Big Data surveillance, points out that a whisper network on the internet is no longer safeguarded like a real whisper network could be when it operates offline. Your data is no longer in your control.

“What changes when it’s digital and recoverable and save-able and searchable is you lose control over it,” Ferguson said. “You can’t keep it within the confines of people you trust.”