Popular dating app exposes 72,000 identity documents in security breach

The popular women’s dating safety app Tea confirmed on July 25, 2025, that it skilled an enormous information breach exposing 72,000 pictures together with 13,000 selfies and photograph identification paperwork, alongside 59,000 pictures from app posts and direct messages. The breach occurred on the identical day the UK’s Online Safety Act began requiring robust age verification for digital platforms.

In accordance with 404 Media investigation, customers on the nameless discussion board 4chan found the uncovered database hosted on Google’s Firebase platform. The corporate advised 404 Media that “this information was initially saved in compliance with legislation enforcement necessities associated to cyber-bullying prevention,” and that they’re working to analyze and treatment the state of affairs.

The timing coincides with growing strain on digital platforms to implement age verification programs. Tea reached primary within the Apple App Retailer this week following its 2023 launch. The app verifies customers are ladies by requiring selfie uploads and authorities identification paperwork.

“Sure, when you despatched Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It is a public bucket,” acknowledged the now-deleted 4chan put up that first uncovered the vulnerability. 404 Media verified the platform makes use of the identical Firebase storage bucket that 4chan customers cited of their discovery.

The incident demonstrates important safety failures in id verification programs. Tea’s privateness coverage acknowledged that consumer selfies for verification are “securely processed and saved solely quickly and might be deleted instantly following the completion of the verification course of.” Nonetheless, the breach suggests pictures have been saved with out primary safety measures.

Portugal’s citizen card laws offers essential context for why authorities identification shouldn’t be routinely used for on-line verification. In accordance with the Comissão Nacional de Proteção de Dados (CNPD), the replica of citizen playing cards by photocopy or digitization is barely permitted when expressly supplied by legislation, by judicial authority choice, or with the cardholder’s consent.

Portuguese Law 7/2007, which regulates the citizen card, establishes in Article 5 that for consent to be legitimate, it have to be successfully free. This implies people have to be given an efficient various to show their id. The laws emphasizes that copying citizen playing cards ought to solely happen when legally mandated, with generic authorized references being inadequate justification.

The Portuguese framework requires entities requesting id doc copies to specify the precise authorized provision authorizing such assortment. Residents can conceal irrelevant private information when legally required replica happens, lowering dissemination dangers and stopping misuse.

The European Data Protection Board’s Statement 1/2025, adopted on February 11, 2025, established complete rules for age verification that immediately deal with the dangers demonstrated by the Tea breach. EDPB Chair Anu Talus emphasised that “the tactic to confirm age have to be the least intrusive attainable and the private information of kids have to be protected.”

The European framework mandates that age assurance programs mustn’t allow extra monitoring or profiling of customers. Service suppliers should implement efficient measures stopping the method from inflicting pointless information safety dangers equivalent to figuring out, finding, or monitoring people.

The EDPB recommends organizations use approaches favoring user-held information and safe native processing, permitting properties equivalent to unlinkability and selective disclosure. The rules emphasize information minimization, requiring service suppliers to solely course of age-related attributes strictly needed for specified, express, and bonafide functions.

France’s information safety authority lately rejected AI-powered age verification cameras in tobacco shops, declaring such programs neither needed nor proportionate underneath GDPR necessities. The Fee Nationale de l’Informatique et des Libertés acknowledged that enhanced surveillance programs fail to enhance upon present age verification whereas creating pointless privateness dangers.

The UK’s On-line Security Act enforcement on July 25, 2025, created rapid challenges for digital platforms. Proton VPN reported a 1,400% surge in UK signups within hours of the law taking effect, as customers sought to avoid obligatory age verification necessities.

Main platforms together with Reddit, Bluesky, and Discord now require UK customers to confirm their ages by authorities identification scanning, fee card verification, or biometric facial recognition programs. This creates centralized databases linking particular person identities to content material consumption patterns.

Visa and Mastercard become enforcement arms of UK online safety regulations

Financial networks now implementing government censorship policies across digital platforms, from Steam to adult content sites.

The Tea breach uncovered basic tensions between baby safety targets and privateness rights. Privateness professional Jason Nurse from the College of Kent warned that digital platforms turn out to be “unwilling custodians of very delicate information” when implementing government-mandated verification programs.

“These websites might be entrusted with storing massive quantities of personally identifiable info from doubtlessly huge segments of the inhabitants. How can we be assured this information will not be misused?” Nurse acknowledged. “Such centralised databases create engaging targets for attackers looking for info for blackmail, extortion or different malicious functions.”

The incident occurred as a number of European nations implement age verification necessities. Spain requires customers to make the most of the Cartera Digital Beta pockets for accessing grownup web sites, whereas Italy mandates the nationwide digital id system SPID for age verification on playing and pornographic platforms.

Technical implementation challenges persist throughout verification programs. The European Commission’s mobile “mini-wallet” prototype, anticipated by summer time 2025, goals to show minimal info whereas proving majority standing. Nonetheless, zero-knowledge proof applied sciences stay largely theoretical, with no appropriate options at the moment accessible for widespread deployment.

The Tea app’s safety failure highlights how obligatory verification necessities can compromise consumer privateness whereas failing to realize meant protections. The corporate’s assertion claimed “we now have no proof to counsel that pictures may be linked to particular customers,” regardless of photograph identification being definitively linked to particular people by design.

A number of customers created automated scripts to gather private info from the uncovered database, in keeping with 4chan posts reviewed by 404 Media. The vulnerability remained accessible for hours earlier than being secured, suggesting insufficient monitoring programs for detecting unauthorized entry.

The breach raises questions on third-party verification companies that more and more deal with delicate private information. Epic Video games’ Youngsters Net Companies, utilized by Bluesky for UK age verification, processes fee card particulars and biometric information throughout a number of platforms. Google’s partnership with Germany’s Sparkasse banking network represents makes an attempt to create trusted verification frameworks, although privateness advocates query accessibility and participation necessities.

Regulatory enforcement creates systematic benefits for giant platforms able to managing complicated compliance necessities. Smaller operators battle with verification infrastructure prices and undefined content material requirements, accelerating market consolidation towards platforms accepting authorities surveillance necessities.

The incident demonstrates how good intentions concerning baby safety can create important privateness vulnerabilities when carried out by obligatory identification programs. Earlier breaches affecting main tech firms’ age verification suppliers, together with AU10TIX in July 2024, established that such exposures characterize systematic dangers quite than remoted incidents.

Age verification necessities essentially alter the connection between customers and digital platforms. Conventional nameless content material consumption turns into unimaginable when platforms should acquire and retailer authorities identification for authorized compliance. This creates complete monitoring infrastructure operated by personal firms with various safety requirements.

The Tea breach serves as a important warning in regards to the privateness implications of increasing age verification mandates. As governments implement related necessities globally, the incident highlights the necessity for technical options that shield each kids and grownup privateness rights with out creating centralized databases weak to malicious exploitation.

Timeline

Key Phrases Defined

Age Verification 

Age verification encompasses the technical and procedural programs requiring customers to reveal their grownup standing earlier than accessing particular digital content material classes. Below present regulatory frameworks, verification strategies embrace authorities identification scanning, biometric facial recognition, fee card authorization, and third-party id companies. These programs essentially alter the standard nameless nature of web searching by creating obligatory identification checkpoints that hyperlink consumer identities to content material consumption patterns, establishing complete databases that privateness consultants warn create engaging targets for malicious actors.

Knowledge Safety

Knowledge safety refers back to the authorized and technical frameworks designed to safeguard private info from unauthorized entry, misuse, and exploitation. The idea encompasses rules equivalent to information minimization, objective limitation, and storage limitation that require organizations to gather solely needed info for specified functions and retain it for minimal durations. The Tea breach demonstrates how insufficient information safety measures can expose delicate private info, highlighting the important significance of implementing sturdy safety controls when dealing with id verification information.

Authorities Identification 

Authorities identification paperwork equivalent to driver’s licenses, passports, and nationwide id playing cards function official proof of id issued by state authorities. The growing requirement for these paperwork in on-line age verification programs creates unprecedented digital archives of delicate private info that have been historically solely collected for particular governmental functions. Portugal’s citizen card laws demonstrates extra restrictive approaches to digital replica of such paperwork, requiring express authorized authorization and offering efficient options to guard residents from pointless publicity of their official identification credentials.

Digital Platforms 

Digital platforms embody the net companies, purposes, and web sites that facilitate consumer interplay, content material sharing, and commerce throughout the web. These platforms more and more face regulatory strain to implement age verification programs whereas concurrently serving as custodians of huge quantities of non-public information collected by compliance necessities. The Tea app exemplifies how platforms designed for particular functions—on this case, ladies’s relationship security—turn out to be unwilling repositories of delicate identification paperwork that create safety vulnerabilities extending far past their authentic service targets.

Privateness Rights 

Privateness rights characterize basic protections guaranteeing people can management how their private info is collected, processed, and shared by organizations and governments. These rights embrace the power to entry, right, and delete private information, in addition to the suitable to object to processing actions that aren’t legally required. The European Knowledge Safety Board’s age verification tips emphasize that privateness rights have to be balanced towards baby safety targets, requiring the least intrusive strategies attainable quite than broad assortment of identification paperwork that exceed needed verification necessities.

Safety Breach 

Safety breaches happen when unauthorized people acquire entry to protected info programs, doubtlessly exposing delicate private information to malicious exploitation. The Tea incident demonstrates how insufficient safety measures—on this case, storing delicate paperwork in publicly accessible cloud storage with out authentication—can result in widespread publicity of id verification information. Such breaches create dangers extending past rapid privateness violations to incorporate potential id theft, monetary fraud, and focused harassment of weak populations who trusted platforms with their most delicate private info.

On-line Security Act 

The UK’s On-line Security Act represents complete laws establishing authorities authority over digital platform content material by regulatory frameworks carried out by monetary networks and age verification necessities. Enacted in 2023 with enforcement starting in 2025, the Act requires platforms to implement sturdy age verification programs, content material monitoring mechanisms, and compliance reporting buildings. The laws demonstrates how democratic governments can obtain content material management by personal sector partnerships quite than direct censorship, creating enforcement mechanisms that function past conventional civil liberties protections whereas producing important consumer resistance.

European Knowledge Safety Board 

The European Knowledge Safety Board features because the unbiased regulatory authority coordinating information safety enforcement throughout European Union member states underneath the Basic Knowledge Safety Regulation framework. The EDPB’s February 2025 age verification tips set up ten basic rules emphasizing information minimization, necessity, and proportionality in verification programs. These tips immediately contradict the broad identification assortment necessities that led to breaches like Tea’s, as an alternative advocating for privacy-preserving applied sciences and user-controlled verification strategies that shield each kids and grownup privateness rights.

Id Verification 

Id verification describes the systematic processes organizations use to verify that people are who they declare to be by varied authentication strategies together with doc scanning, biometric evaluation, and knowledge-based questions. The Tea breach highlights basic issues with present verification approaches that require everlasting storage of delicate paperwork quite than using privacy-preserving options. Trendy id verification ought to make use of strategies equivalent to zero-knowledge proofs and selective disclosure that verify needed attributes with out creating centralized databases of non-public identification paperwork weak to safety breaches.

Compliance Necessities

Compliance necessities embody the technical, procedural, and reporting obligations platforms should meet to fulfill regulatory frameworks whereas avoiding monetary penalties and operational restrictions. Below laws just like the UK’s On-line Security Act, these necessities embrace sturdy age verification programs, content material monitoring capabilities, consumer information assortment mechanisms, and common compliance reporting to authorities authorities. The Tea breach demonstrates how compliance obligations can create important safety vulnerabilities when organizations prioritize assembly regulatory necessities over implementing applicable information safety measures, leading to programs that expose customers to better dangers than the unique issues the laws meant to unravel.

Abstract

Who: The Tea relationship security app, which reached primary within the Apple App Retailer, skilled a safety breach affecting customers who submitted id verification paperwork. The breach was found by 4chan customers and investigated by 404 Media.

What: An enormous information breach uncovered 72,000 pictures together with 13,000 selfies and photograph identification paperwork, plus 59,000 pictures from app posts and direct messages. The information was saved in an unsecured Google Firebase bucket accessible with out authentication.

When: The breach was found and reported on July 25, 2025, coinciding with the UK’s On-line Security Act enforcement requiring sturdy age verification for digital platforms.

The place: The uncovered database was hosted on Google’s Firebase platform and accessible globally with out safety restrictions. The incident impacts customers who submitted verification paperwork to entry the women-only relationship security platform.

Why: Tea required customers to add selfies and authorities identification to confirm they have been ladies, claiming to retailer information “in compliance with legislation enforcement necessities associated to cyber-bullying prevention.” Nonetheless, the corporate did not implement primary safety measures, leaving delicate private information publicly accessible.