Tea App Turns Off DMs After Exposing Messages About Abortions, Cheating

Tea, the viral women’s dating safety app, has turned off direct messages after 404 Media revealed that a vulnerability allowed unauthorized parties to gain access to users’ direct messages, including many in which women discussed their abortions, cheating partners, and phone numbers they sent to one another.

Kasra Rahjerdi, the independent security researcher who first flagged the issue to 404 Media, shared a cache of more than a million Tea direct messages that 404 Media then verified. He said the security issue lasted until late last week. Tea announced late Monday it was turning off direct messages altogether.

“Ladies of Tea,” the message from Tea’s Instagram account, called The Tea Party Girls, starts. “We have an update regarding the cyber incident that took place last week, and wanted to share it with you as soon as possible 💜.”

“We have recently learned that some direct messages (DMs) were accessed as part of the initial incident. Out of an abundance of caution, we have taken the affected system offline. At this time, we have found no evidence of access to other parts of our environment,” the statement continues.

404 Media first contacted Tea about the exposure of direct messages on Saturday. That request for comment included screenshots of some of the direct messages and asked if Tea was aware of their exposure. Tea declined to comment specifically, and instead said “We are continuing to work expeditiously to contain the incident and have launched a full investigation with assistance from external cybersecurity firms.” Tea only took the direct messaging system offline after 404 Media published an article about the exposure on Monday.

The direct messages obtained by 404 Media are incredibly sensitive in nature. Examples include a user discovering their husband being discussed on the app; another shows a woman contacting others about a man she is engaged to; and many of the messages discuss abortions. The chats also frequently include damning accusations against people named in the chats. 404 Media found it was possible to very easily determine the real identities of many of the people sending the messages or being discussed.

Tech companies often take systems offline in response to hacks or cybersecurity incidents revealed by the press. When 404 Media first reported a hacker had targeted TeleMessage, a Signal clone used by the U.S. government, the company suspended operations.

Tea is supposed to provide an anonymous space where women can exchange information about men in order to stay safe. It verifies that users are women by asking them to upload a selfie during the account creation process. 

Tea recently topped the U.S. App Store. After that, members of the notorious troll forum 4chan found an exposed Tea database of user selfies and driver licenses and posted those photos online, as 404 Media first reported. Since then, someone has made a website where users can ‘rank’ the photos in order of perceived attractiveness.

A Tea spokesperson told 404 Media in an email on Tuesday “Our team remains fully engaged in strengthening the Tea App’s security, and we look forward to sharing more about those enhancements soon. In the meantime, we are working to identify any users whose personal information was involved and will be offering free identity protection services to those individuals. ”