Did the Tea app have a data breach?

Yes. The first exposure was publicly reported around July 25-26, 2025 and involved a misconfigured legacy storage bucket containing verification selfies and IDs along with other images. A second issue identified near July 29, 2025 exposed more than one million private messages, prompting Tea to disable DMs.

What happened with the data breach with the Tea app?

A legacy cloud environment was left misconfigured, allowing public access to about 72,000 images, including verification photos and images from posts and messages. Separately, a vulnerability exposed over 1.1 million private DMs. Tea said account emails and phone numbers weren’t pulled from its core databases, but some DMs contained user-shared phone numbers and locations.

Are there any lawsuits against the Tea app?

Yes. By August 6, 2025, multiple federal class action lawsuits were consolidated in the Northern District of California, alleging inadequate safeguards for personal information and problems with breach notification. Additional investigations and regulatory scrutiny are ongoing.

The Tea App Data Breach

The Tea app data breach wasn’t just one mistake. It unfolded in late July 2025 when a misconfigured legacy cloud storage environment exposed highly sensitive material. What started as leaked verification photos quickly widened into something far more invasive: private, intimate conversations.

This matters because the Tea app data breach involved identity verification selfies and government ID images, plus direct messages. That combination creates real risks. We’re talking about a cascade that starts with regulatory scrutiny and spirals into class action lawsuits, targeted harassment, and situations where people’s images or words get ripped out of context and weaponized online.

This article walks you through what happened in the Tea app leak, the data that was exposed, and the practical lessons you need to know about cloud security and third-party risk. If you handle personal data in any app, the mistakes here should be a wake-up call.

Tea App Data Breach 2025: Timeline of the Attack

Late July 2025. Security researchers and forum users discovered that a legacy Tea storage environment in the cloud had been left wide open. The exposed bucket contained thousands of files used to verify identity – selfies paired with government IDs – alongside images pulled from posts and messages. Files were quickly copied and started circulating on public forums.

July 25-26, 2025. Public reporting confirmed the first exposure. Tea said the affected content related to older accounts created before February 2024. They also emphasized that account emails and phone numbers weren’t taken from their core systems. But that didn’t blunt the harm. Images tied to verification and conversations were now outside the app’s walls, and early Tea users bore the brunt as screenshots and downloads spread.

End of July 2025. A second, separate exposure came to light. An independent researcher found that more than one million private messages were accessible because of a different flaw. These DMs included deeply personal topics and, in some cases, details like phone numbers or meeting locations that users had shared in conversations. On July 29, Tea disabled direct messages “out of an abundance of caution” while they investigated.

This new finding expanded the breach’s scope from static media to live, ongoing communications. It triggered feature shutdowns and put Tea under a legal microscope, raising uncomfortable questions about how they’d been handling data all along.

Data Exposed in the Tea App Breach

The first exposure came from a misconfigured cloud storage bucket that allowed public access to legacy files. A second issue involved insufficiently protected messaging data, which let attackers retrieve private conversations well beyond the initial image leak.

Here’s what was exposed and how it was accessed:

Verification data. Selfies and government ID photos originally uploaded for identity checks were accessible from a legacy, misconfigured storage environment.
Publicly shared images. Photos from posts, comments, and message attachments were copied once the open bucket was discovered.
Private messages. Over a million DMs were exposed through a separate vulnerability. These revealed sensitive topics and, in some cases, user-shared phone numbers, locations, and other personal details.
What Tea said wasn’t taken from core records. The company stated that account emails and phone numbers weren’t pulled from their primary databases. But some DMs contained phone numbers that users had shared in conversation, which means that distinction didn’t offer much comfort.

Regulatory, Compliance, and Third-Party Risk Implications

When you’re exposing identity verification photos, government IDs, and private messages, you’re inviting serious regulatory scrutiny. Regulators don’t care if you promised strong privacy protections – they care whether your actual data handling lives up to those promises.

Tea’s misconfigured legacy cloud storage wasn’t just a one-off bug. It pointed to a fundamental data governance failure. They kept sensitive files sitting in an old environment without proper access controls. That’s not bad luck – that’s bad practice.

And because the affected systems relied on a third-party cloud backend, the situation got even messier. Gaps in configuration and oversight made detection harder and accountability murkier, while breach notification timelines became a tangled mess. Class action lawsuits followed quickly, arguing Tea failed to safeguard personally identifiable information and notify users on time.

The lesson? Vendor choice doesn’t shift liability. You own security outcomes. That includes everything from how you handle legacy data to how tightly you configure cloud environments, how aggressively you monitor them, and how transparently you disclose when something goes wrong.

Lessons Learned from the Tea App Leak

The Tea case shows how quickly trust unravels when legacy systems and cloud rules can’t keep up with growth. Here’s how you can avoid becoming the next cautionary tale.

Secure cloud configuration first: Lock down storage buckets with default-deny access, least privilege, and environment isolation. Treat legacy systems as high-risk until you’ve proven otherwise.
Continuously monitor and test: Run automated scans for open buckets, misconfigured database rules, and exposed endpoints. Add external attack-surface monitoring and alerting to catch what internal tools miss.
Minimize and encrypt sensitive data: Keep only what you need for as long as you need it. Encrypt verification media, and make sure any “we delete after use” promises are actually enforced.
Harden messaging systems: Separate services, restrict API access, and log anomalous reads or exports. Run regular red-team exercises against real-time data paths.
Governance and transparency: Know where your sensitive data lives, enforce real retention policies, and bake security reviews into every release. If a breach happens, disclose the scope, dates, and actions clearly to maintain trust.
Third-party oversight: Build vendor controls into contracts, require configuration evidence, and test them regularly. Responsibility for cloud security may be shared, but accountability is yours alone.

Security leaders often ask how to operationalize these practices across hundreds or thousands of vendors. You need tools that adapt to each relationship and surface risks before they turn into headlines, with a clear path to fix what matters most. Panorays provides an AI-powered third-party cyber risk management platform that helps you tailor assessments, monitor for evolving supply chain threats, and act on prioritized fixes – so your team can reduce risk with fewer manual steps. This aligns with our mission to simplify supply chain cyber risk so companies can securely do business together at scale.

Ready to get a clearer picture of vendor risk and close gaps faster? Book a personalized demo with Panorays.