TL;DR: The Tea app hack demonstrates what we’ve ben saying for a while now. The Online Safety Act puts people at risk if there’s data breach of the age verifying software providers.
The recent news of the Tea app hack, a dating safety app, serves as a sobering reminder of the inherent risks associated with digital identity verification systems. What was designed as a safe space for women to share information about potential dating partners has become a cautionary tale about the vulnerabilities that arise when platforms collect and store sensitive personal data for verification purposes.
What Happened with the Tea app hack?
Tea, a women-only dating safety app that allows users to check whether potential partners are married or registered sex offenders and share “red flag” behaviour anonymously, suffered a significant data breach in July 2025. Hackers accessed approximately 72,000 images, including 13,000 verification photos and images of government IDs from users who had signed up before February 2024. And it’s not just the women-only version having problems either, TeaOnHer a men-only version of Tea app has previously leaked users data.
The app, which had experienced a surge in popularity and briefly became the top free app in the Apple App Store, requires users to take selfies for verification, which it claims are deleted after review to prove they are women.
However, the breach revealed that the hacker accessed a database from more than two years ago, with the Tea spokesperson stating that
“This data was originally stored in compliance with law enforcement requirements related to cyberbullying prevention.”
“This data was originally stored in compliance with law enforcement requirements related to cyberbullying prevention.”The situation became even more serious when a second security issue was discovered, revealing that hackers could access more than 1.1 million user direct messages spanning from early 2023 to last week, containing intimate personal information that made it easy to identify users’ real identities.
The Human Cost of the Breach
The impact of this breach extends far beyond technical statistics. The app’s popularity had angered some men, prompting a thread on the right-wing troll message board 4Chan calling for a “hack and leak” campaign.
Following the breach, alleged victims’ identification photos were posted on 4Chan and X, with a Google Maps user even creating a map purporting to show the locations of affected Tea users.
What makes this breach particularly troubling is that it was trivial for researchers to find the real world identities of some users given the nature of their private messages, despite Tea encouraging users to choose anonymous screennames and promising privacy. Users could be easily identified through social media handles, phone numbers, and real names shared in what they believed were private conversations.
The Age Verification Problem
This incident highlights a fundamental issue with age verification systems that the Online Safety Act seeks to implement across various platforms. The Tea app’s verification process required users to submit selfies and, in many cases, government-issued identification documents. While this was ostensibly for user safety and platform integrity, it created a honeypot of sensitive personal data.
The contradiction is stark: Tea claimed that verification photos were
“
yet the company later admitted that data was
This discrepancy between public promises and actual data retention practices is precisely the kind of issue that could plague age verification systems mandated by the Online Safety Act.
Implications for the Online Safety Act
The Tea app hack offers several critical lessons for the implementation of age verification under the Online Safety Act:
Data Retention vs Privacy Promises
Companies may claim to delete verification data immediately, but legal requirements, business needs, or technical implementations may result in longer retention periods than users expect or consent to. The Tea incident demonstrates how verification data stored
can become a liability years later.
Attack Surface Expansion
Every piece of personal data collected for verification purposes expands the potential attack surface for malicious actors. When platforms collect government IDs, selfies, and other verification materials, they become high-value targets for hackers and hostile actors seeking to weaponise personal information.
Verification vs Anonymity
The Tea app’s core value proposition relied on allowing women to share information anonymously. However, the verification requirements and subsequent breach effectively eliminated this anonymity for thousands of users. This tension between verification and privacy protection is inherent in many age verification systems.
Targeting and Harassment Risks
The breach was allegedly triggered by organised harassment campaigns on platforms like 4Chan, demonstrating how verification data can be weaponised by bad actors specifically targeting vulnerable communities. Age verification systems could similarly expose young people and other vulnerable users to targeted harassment if breached.
Technical and Regulatory Considerations
The Tea app hack incident reveals several technical and regulatory gaps that must be addressed:
- Data Minimisation: Platforms should collect only the minimum data necessary for verification and implement robust deletion policies that are actually followed in practice.
- Distributed Verification: Rather than centralising sensitive verification data, systems should explore distributed or zero-knowledge verification approaches that confirm age without storing identifying information.
- Breach Response: The Tea incident showed how quickly personal data can be weaponised following a breach. Platforms implementing age verification must have robust incident response plans that prioritise user safety over corporate reputation.
- Regular Security Audits: The fact that Tea’s breach involved databases from “more than two years ago” suggests insufficient ongoing security monitoring of stored verification data.
Moving Forward Safely
The Online Safety Act’s age verification requirements are well-intentioned, aiming to protect children from harmful content online. However, the Tea app breach demonstrates that the cure could be worse than the disease if not implemented thoughtfully.
Regulators and platforms must work together to develop age verification systems that:
- Minimise data collection and retention
- Use privacy-preserving technologies where possible
- Implement robust security measures appropriate to the sensitivity of the data
- Provide clear, honest communication about data practices
- Include strong breach response procedures that prioritise user safety
The women who used Tea believed they were joining a safe space to protect themselves and others. Instead, they found their most sensitive personal information exposed to the very people they were trying to avoid. This sobering reality must inform how we approach age verification systems to ensure that our efforts to protect online safety don’t inadvertently create new vulnerabilities for the very people we’re trying to protect.
The Tea app breach is a glimpse into the future.
The Tea app hack isn’t just a cybersecurity incident; it’s a preview of what could happen when age verification systems are implemented at scale without adequate safeguards. We must learn from this breach to build better, safer systems that protect privacy while achieving legitimate safety goals.
