As we broke the news of the Tea App’s data breach and hack last week and covered the privacy litigation risks it is now happening in real time with a class action lawsuit already happening.
Just when the Tea app thought the storm had passed, a second, even more catastrophic data breach has rocked the platform, exposing 1.1 million private messages sent between users as recently as last week. Following the initial July 25, 2025, breach that saw 72,000 user images, including selfies and driver’s licenses, leaked on 4chan, this new vulnerability has deepened the crisis for the women-only dating safety app. These messages, containing intimate discussions about infidelity, abortions, phone numbers, and meeting locations, have now surfaced on hacking forums, amplifying risks of doxxing, harassment, and identity theft. Captain Compliance foresaw this disaster, offering critical lessons for privacy professionals and app developers on how to take a privacy by design approach.
If you want to protect your business or brand and not devastate it then book a demo today with a privacy superhero here at Captain Compliance.
The Latest Breach: A Deeper Wound for Tea Users
Tea, launched in 2023 by Sean Cook to empower women with anonymous reviews of men in the dating pool, had soared to the top of the Apple App Store with over four million signups by July 2025. The app’s promise of anonymity and security, bolstered by anti-screenshot features and mandatory selfie and ID verification, was meant to create a safe space for women to share “red flags” and protect against catfishing or abuse. However, the initial breach exposed a “legacy data system” with unencrypted images from users who joined before February 2024, contradicting Tea’s privacy policy claims of immediate deletion post-verification.
The second breach, reported by 404 Media on July 28, 2025, revealed an additional database containing 1.1 million private messages exchanged from February 2023 to as recent as the week prior. Unlike the first leak, which primarily involved images, this exposure included highly sensitive communications—discussions of personal experiences like discovering a partner’s infidelity, planning meetups, or sharing health-related decisions such as abortions. Independent researcher Kasra Rahjerdi accessed the data using Firebase’s app development platform, noting that any authenticated user could retrieve messages with an API key, highlighting a severe lack of access controls.
Tea responded by disabling its direct messaging feature and taking the affected system offline, citing an “abundance of caution.” Yet, the damage is profound: the leaked messages, now circulating on hacking forums, expose users to real-world risks, including blackmail, stalking, and fraud, particularly since some messages included identifiable details like phone numbers and locations.
Connection to the Initial Breach: A Pattern of Negligence
The second breach compounds the fallout from the first, revealing systemic flaws in Tea’s data security. The initial leak, reported on July 25, 2025, stemmed from an unsecured Firebase storage bucket that stored 72,000 images—13,000 selfies and IDs, 59,000 from posts and messages—without encryption or password protection. Cybersecurity experts, including Ted Miracco of Approov, criticized Tea for neglecting basic practices like data encryption and access controls. The second breach, involving a separate database, suggests Tea failed to audit its entire infrastructure post-initial incident, allowing a similar vulnerability to persist.
Both breaches share a common thread: Tea’s misrepresentation of its privacy protections. The app’s privacy policy promised that verification data would be “securely processed and deleted immediately” after review, yet both leaks included data retained beyond stated guidelines, violating user trust and legal obligations. The New York Times and R Street Institute noted that the leaked data strongly indicated ongoing retention practices, potentially exposing Tea to claims under the California Consumer Privacy Act (CCPA) for unauthorized data handling and the fact that we covered the private right of action lawsuits that are now enabled and triggered due to the data breach. Firms like Pacific Trial Attorneys and Levi and Korsinsky will be lining up for a class action privacy lawsuit.
Privacy Implications: From Empowerment to Exposure
The exposure of 1.1 million private messages escalates the privacy crisis for Tea users. These communications were not just casual chats but deeply personal exchanges, including warnings about abusive partners, confessions of infidelity, and sensitive health disclosures. The public availability of such data on platforms like 4chan and hacking forums heightens risks of doxxing, cyberstalking, and identity theft, particularly for women who joined Tea to protect themselves from such threats. The creation of an interactive map using metadata from the first breach’s images, and now the potential for similar exploitation of message data, underscores the real-world dangers.
This breach betrays Tea’s core mission of women’s safety, transforming a platform meant to empower into one that endangers. The psychological toll on users—knowing their private warnings or vulnerabilities are now public—cannot be overstated. Moreover, the data’s potential use in facial recognition spoofing, biometric bypassing, or deepfakes, as warned by CNN, amplifies long-term privacy risks. For privacy professionals, this case highlights the critical need for robust data minimization, encryption, and deletion policies to prevent such catastrophic exposures.
Class-Action Lawsuits: Legal Repercussions Gain Momentum
The breaches have triggered swift legal action. On July 29, 2025, two class-action lawsuits were filed in the Northern District of California, led by plaintiffs Griselda Reyes and an anonymous Jane Doe. Reyes’ suit, represented by Cole & Van Note, alleges negligence, breach of implied contract, and failure to secure data, seeking damages and mandates for Tea to overhaul its security practices. Jane Doe’s suit, which also names X and 4chan as defendants, emphasizes the app’s broken promises of anonymity, arguing it endangered users who sought to warn others about predators.
Both lawsuits leverage the CCPA’s private right of action, which allows statutory damages of $100-$750 per violation for breaches caused by inadequate security, without proving harm. With over 1.7 million users potentially affected, damages could reach hundreds of millions. The second breach’s exposure of recent messages strengthens these claims, as it contradicts Tea’s initial assertion that only pre-February 2024 data was compromised. Firms like Swigart Law Group, known for aggressive privacy suits, Tauler & Smith, and Pacific Trial Attorneys, led by Scott Ferrel, are likely to join or expand these actions, capitalizing on their expertise in CCPA and consumer protection litigation.
Additional claims may invoke California’s Unfair Competition Law (UCL) or common-law torts like intrusion upon seclusion, given the sensitive nature of the exposed messages. The lawsuits also highlight Tea’s failure to notify users promptly, a CCPA violation that could invite further California Privacy Protection Agency (CPPA) enforcement, with fines up to $7,500 per intentional violation.
Captain Compliance’s Prescient Warning
Captain Compliance, our leading privacy software company, called out Tea’s vulnerabilities in our recent analysis, warning that the app’s “legacy data system” and lack of encryption posed a “litigation risk for private right of action lawsuits” under CCPA. We highlighted the absence of basic cybersecurity practices, such as regular audits and secure storage, predicting that additional breaches were likely if Tea failed to overhaul its infrastructure. The second breach, exposing 1.1 million messages, validates this foresight, underscoring the need for proactive compliance to prevent cascading failures and why you need to use privacy software to protect data subjects.
Captain Compliance advocated for mandatory encryption, swift breach notifications, and robust incident response plans—measures that are often neglected. The analysis emphasized that apps handling sensitive data, especially for vulnerable populations, must prioritize privacy-by-design to avoid becoming “one hack away from exposure.” Had Tea implemented these recommendations post-first breach, the second leak might have been averted and now these lawsuits could put the app out of business.
Mitigation Strategies: How Captain Compliance Can Help
To prevent future breaches and mitigate litigation risks, Tea and similar apps must adopt rigorous compliance frameworks. Captain Compliance offers tailored solutions, including our leading Consent Management Platform (CMP), Data Subject Rights Software, and Privacy Policy Generator, to fortify defenses:
- Consent Management Platform (CMP): Ensures granular user consent for data collection, blocking trackers until opt-in. It logs consents for audit trails, supporting defenses against CCPA claims, and integrates with APIs to enforce deletion requests, addressing issues seen in Tea’s retained data.
- Privacy Policy Generator: Creates dynamic, CCPA-compliant policies disclosing data practices and retention periods, countering misrepresentation claims under CCPA §1798.100. Auto-updates for regulatory changes (e.g., 2025 CPPA rules) ensure ongoing compliance.
Lessons for other Apps Dealing With Sensitive Data
The Tea app’s double breach 72,000 images followed by 1.1 million messages—exposes the fragility of apps that prioritize growth over security. For privacy professionals, the takeaway is clear: robust encryption, access controls, and compliance partnerships are non-negotiable. Captain Compliance’s prescient warnings and solutions offer a roadmap for apps to rebuild trust and avoid really expensive class action lawsuits.
