VibeAudits
SecurityBlog Post

She Thought Her Dating Photos Were Private. Then Came the Breach.

The Tea Dating App Disaster: How One Misconfigured Bucket Exposed 72,000 Private Photos

September 13, 2025
1 min read

What Happened?

In July 2025, Tea - a dating app marketed as a "safe space for women" - suffered one of the most devastating privacy breaches in dating app history. Over 72,000 intimate photos, including driver's licenses and verification selfies, were exposed to the internet.

The cause? A single misconfigured Firebase storage bucket.

The Breach Timeline

Day 1: Someone discovers Tea's Firebase bucket is publicly accessible - no login required Day 2: A Python script gets posted on 4chan to mass-download everything Day 3: Thousands of women's private photos and ID documents spread across dark web forums

How It Happened

Tea required users to verify their identity by uploading driver's licenses and selfies to prove they were real women. These sensitive verification photos were stored in a Firebase cloud bucket that was accidentally left open to the public.

Think of it like this: instead of putting sensitive documents in a locked filing cabinet, they left them in a box on the sidewalk with a sign pointing to it.

The Real Impact

This wasn't just a technical glitch - it was a human disaster:

  • Women's government IDs circulating on anonymous forums
  • Private verification selfies shared without consent
  • Complete loss of trust in a platform that promised safety
  • Potential identity theft and harassment risks

How This Could Have Been Prevented

1. Proper Access Controls

Never leave cloud storage publicly accessible. Always require authentication.

2. Regular Security Audits

Check all your storage buckets, APIs, and databases for misconfigurations.

3. Data Minimization

Ask: "Do we really need to store driver's licenses?" If yes, encrypt them heavily.

4. Assume You'll Be Targeted

Dating apps are high-value targets. Plan your security accordingly.

The Bottom Line

One misconfigured setting turned a "safe space" into a privacy nightmare. In cybersecurity, there are no small mistakes - only small mistakes that haven't been exploited yet.

Don't let your app become the next cautionary tale.

VibeAudits helps dating and social apps identify these vulnerabilities before they make headlines. Because your users' trust is worth more than the cost of a security audit.

Contact us for a comprehensive app security review.