Popular dating app exposes 72,000 identity documents in security breach

The popular women's dating safety app Tea confirmed on July 25, 2025, that it experienced a massive data breach exposing 72,000 images including 13,000 selfies and photo identification documents, alongside 59,000 images from app posts and direct messages. The breach occurred on the same day the UK's Online Safety Act began requiring robust age verification for digital platforms.

According to 404 Media investigation, users on the anonymous forum 4chan discovered the exposed database hosted on Google's Firebase platform. The company told 404 Media that "this data was originally stored in compliance with law enforcement requirements related to cyber-bullying prevention," and that they are working to investigate and remedy the situation.

The timing coincides with increasing pressure on digital platforms to implement age verification systems. Tea reached number one in the Apple App Store this week following its 2023 launch. The app verifies users are women by requiring selfie uploads and government identification documents.

"Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It's a public bucket," stated the now-deleted 4chan post that first exposed the vulnerability. 404 Media verified the platform uses the same Firebase storage bucket that 4chan users cited in their discovery.

The incident demonstrates critical security failures in identity verification systems. Tea's privacy policy stated that user selfies for verification are "securely processed and stored only temporarily and will be deleted immediately following the completion of the verification process." However, the breach suggests images were stored without basic security measures.

Portugal's citizen card legislation provides important context for why government identification should not be routinely used for online verification. According to the Comissão Nacional de Proteção de Dados (CNPD), the reproduction of citizen cards through photocopy or digitization is only permitted when expressly provided by law, by judicial authority decision, or with the cardholder's consent.

Portuguese Law 7/2007, which regulates the citizen card, establishes in Article 5 that for consent to be valid, it must be effectively free. This means individuals must be given an effective alternative to prove their identity. The legislation emphasizes that copying citizen cards should only occur when legally mandated, with generic legal references being insufficient justification.

The Portuguese framework requires entities requesting identity document copies to specify the exact legal provision authorizing such collection. Citizens can conceal irrelevant personal data when legally required reproduction occurs, reducing dissemination risks and preventing misuse.

The European Data Protection Board's Statement 1/2025, adopted on February 11, 2025, established comprehensive principles for age verification that directly address the risks demonstrated by the Tea breach. EDPB Chair Anu Talus emphasized that "the method to verify age must be the least intrusive possible and the personal data of children must be protected."

The European framework mandates that age assurance systems should not enable additional tracking or profiling of users. Service providers must implement effective measures preventing the process from causing unnecessary data protection risks such as identifying, locating, or tracking individuals.

The EDPB recommends organizations use approaches favoring user-held data and secure local processing, allowing properties such as unlinkability and selective disclosure. The guidelines emphasize data minimization, requiring service providers to only process age-related attributes strictly necessary for specified, explicit, and legitimate purposes.

France's data protection authority recently rejected AI-powered age verification cameras in tobacco shops, declaring such systems neither necessary nor proportionate under GDPR requirements. The Commission Nationale de l'Informatique et des Libertés stated that enhanced surveillance systems fail to improve upon existing age verification while creating unnecessary privacy risks.

The UK's Online Safety Act enforcement on July 25, 2025, created immediate challenges for digital platforms. Proton VPN reported a 1,400% surge in UK signups within hours of the law taking effect, as users sought to circumvent mandatory age verification requirements.

Major platforms including Reddit, Bluesky, and Discord now require UK users to verify their ages through government identification scanning, payment card verification, or biometric facial recognition systems. This creates centralized databases linking individual identities to content consumption patterns.

Visa and Mastercard become enforcement arms of UK online safety regulations

Financial networks now implementing government censorship policies across digital platforms, from Steam to adult content sites.

PPC LandLuis Rijo

The Tea breach exposed fundamental tensions between child protection objectives and privacy rights. Privacy expert Jason Nurse from the University of Kent warned that digital platforms become "unwilling custodians of very sensitive data" when implementing government-mandated verification systems.

"These sites will be entrusted with storing large amounts of personally identifiable information from potentially vast segments of the population. How can we be confident this data won't be misused?" Nurse stated. "Such centralised databases create attractive targets for attackers seeking information for blackmail, extortion or other malicious purposes."

The incident occurred as multiple European countries implement age verification requirements. Spain requires users to utilize the Cartera Digital Beta wallet for accessing adult websites, while Italy mandates the national digital identity system SPID for age verification on gambling and pornographic platforms.

Technical implementation challenges persist across verification systems. The European Commission's mobile "mini-wallet" prototype, expected by summer 2025, aims to display minimal information while proving majority status. However, zero-knowledge proof technologies remain largely theoretical, with no compatible solutions currently available for widespread deployment.

The Tea app's security failure highlights how mandatory verification requirements can compromise user privacy while failing to achieve intended protections. The company's statement claimed "we have no evidence to suggest that photos can be linked to specific users," despite photo identification being definitively linked to specific individuals by design.

Multiple users created automated scripts to collect personal information from the exposed database, according to 4chan posts reviewed by 404 Media. The vulnerability remained accessible for hours before being secured, suggesting inadequate monitoring systems for detecting unauthorized access.

The breach raises questions about third-party verification services that increasingly handle sensitive personal data. Epic Games' Kids Web Services, utilized by Bluesky for UK age verification, processes payment card details and biometric data across multiple platforms. Google's partnership with Germany's Sparkasse banking network represents attempts to create trusted verification frameworks, though privacy advocates question accessibility and participation requirements.

Regulatory enforcement creates systematic advantages for large platforms capable of managing complex compliance requirements. Smaller operators struggle with verification infrastructure costs and undefined content standards, accelerating market consolidation toward platforms accepting government surveillance requirements.

The incident demonstrates how good intentions regarding child protection can create significant privacy vulnerabilities when implemented through mandatory identification systems. Previous breaches affecting major tech companies' age verification providers, including AU10TIX in July 2024, established that such exposures represent systematic risks rather than isolated incidents.

Age verification requirements fundamentally alter the relationship between users and digital platforms. Traditional anonymous content consumption becomes impossible when platforms must collect and store government identification for legal compliance. This creates comprehensive monitoring infrastructure operated by private companies with varying security standards.

The Tea breach serves as a critical warning about the privacy implications of expanding age verification mandates. As governments implement similar requirements globally, the incident highlights the need for technical solutions that protect both children and adult privacy rights without creating centralized databases vulnerable to malicious exploitation.

Timeline

• October 26, 2023: UK's Online Safety Act receives Royal Assent 
• January 17, 2025: Age verification duties for Part 5 services take effect 
• February 11, 2025: European Data Protection Board establishes age verification principles 
• July 1, 2025: Germany's Sparkasse partners with Google for digital age verification 
• July 10, 2025: Bluesky announces UK age verification implementation 
• July 11, 2025: French data watchdog rejects AI age cameras in tobacco shops 
• July 17, 2025: Wikipedia files legal challenge against UK categorization rules 
• July 20, 2025: Google executive criticizes Meta's age verification approach 
• July 25, 2025: Tea app data breach exposed on 4chan; UK online safety law triggers massive VPN surge

Key Terms Explained

Age Verification 

Age verification encompasses the technical and procedural systems requiring users to demonstrate their adult status before accessing specific digital content categories. Under current regulatory frameworks, verification methods include government identification scanning, biometric facial recognition, payment card authorization, and third-party identity services. These systems fundamentally alter the traditional anonymous nature of internet browsing by creating mandatory identification checkpoints that link user identities to content consumption patterns, establishing comprehensive databases that privacy experts warn create attractive targets for malicious actors.

Data Protection

Data protection refers to the legal and technical frameworks designed to safeguard personal information from unauthorized access, misuse, and exploitation. The concept encompasses principles such as data minimization, purpose limitation, and storage limitation that require organizations to collect only necessary information for specified purposes and retain it for minimal periods. The Tea breach demonstrates how inadequate data protection measures can expose sensitive personal information, highlighting the critical importance of implementing robust security controls when handling identity verification data.

Government Identification 

Government identification documents such as driver's licenses, passports, and national identity cards serve as official proof of identity issued by state authorities. The increasing requirement for these documents in online age verification systems creates unprecedented digital archives of sensitive personal information that were traditionally only collected for specific governmental purposes. Portugal's citizen card legislation demonstrates more restrictive approaches to digital reproduction of such documents, requiring explicit legal authorization and providing effective alternatives to protect citizens from unnecessary exposure of their official identification credentials.

Digital Platforms 

Digital platforms encompass the online services, applications, and websites that facilitate user interaction, content sharing, and commerce across the internet. These platforms increasingly face regulatory pressure to implement age verification systems while simultaneously serving as custodians of vast amounts of personal data collected through compliance requirements. The Tea app exemplifies how platforms designed for specific purposes—in this case, women's dating safety—become unwilling repositories of sensitive identification documents that create security vulnerabilities extending far beyond their original service objectives.

Privacy Rights 

Privacy rights represent fundamental protections ensuring individuals can control how their personal information is collected, processed, and shared by organizations and governments. These rights include the ability to access, correct, and delete personal data, as well as the right to object to processing activities that are not legally required. The European Data Protection Board's age verification guidelines emphasize that privacy rights must be balanced against child protection objectives, requiring the least intrusive methods possible rather than broad collection of identification documents that exceed necessary verification requirements.

Security Breach 

Security breaches occur when unauthorized individuals gain access to protected information systems, potentially exposing sensitive personal data to malicious exploitation. The Tea incident demonstrates how inadequate security measures—in this case, storing sensitive documents in publicly accessible cloud storage without authentication—can lead to widespread exposure of identity verification data. Such breaches create risks extending beyond immediate privacy violations to include potential identity theft, financial fraud, and targeted harassment of vulnerable populations who trusted platforms with their most sensitive personal information.

Online Safety Act 

The UK's Online Safety Act represents comprehensive legislation establishing government authority over digital platform content through regulatory frameworks implemented by financial networks and age verification requirements. Enacted in 2023 with enforcement beginning in 2025, the Act requires platforms to implement robust age verification systems, content monitoring mechanisms, and compliance reporting structures. The legislation demonstrates how democratic governments can achieve content control through private sector partnerships rather than direct censorship, creating enforcement mechanisms that operate beyond traditional civil liberties protections while generating significant user resistance.

European Data Protection Board 

The European Data Protection Board functions as the independent regulatory authority coordinating data protection enforcement across European Union member states under the General Data Protection Regulation framework. The EDPB's February 2025 age verification guidelines establish ten fundamental principles emphasizing data minimization, necessity, and proportionality in verification systems. These guidelines directly contradict the broad identification collection requirements that led to breaches like Tea's, instead advocating for privacy-preserving technologies and user-controlled verification methods that protect both children and adult privacy rights.

Identity Verification 

Identity verification describes the systematic processes organizations use to confirm that individuals are who they claim to be through various authentication methods including document scanning, biometric analysis, and knowledge-based questions. The Tea breach highlights fundamental problems with current verification approaches that require permanent storage of sensitive documents rather than utilizing privacy-preserving alternatives. Modern identity verification should employ techniques such as zero-knowledge proofs and selective disclosure that confirm necessary attributes without creating centralized databases of personal identification documents vulnerable to security breaches.

Compliance Requirements

Compliance requirements encompass the technical, procedural, and reporting obligations platforms must meet to satisfy regulatory frameworks while avoiding financial penalties and operational restrictions. Under regulations like the UK's Online Safety Act, these requirements include robust age verification systems, content monitoring capabilities, user data collection mechanisms, and regular compliance reporting to government authorities. The Tea breach demonstrates how compliance obligations can create significant security vulnerabilities when organizations prioritize meeting regulatory requirements over implementing appropriate data protection measures, resulting in systems that expose users to greater risks than the original problems the regulations intended to solve.

Summary

Who: The Tea dating safety app, which reached number one in the Apple App Store, experienced a security breach affecting users who submitted identity verification documents. The breach was discovered by 4chan users and investigated by 404 Media.

What: A massive data breach exposed 72,000 images including 13,000 selfies and photo identification documents, plus 59,000 images from app posts and direct messages. The data was stored in an unsecured Google Firebase bucket accessible without authentication.

When: The breach was discovered and reported on July 25, 2025, coinciding with the UK's Online Safety Act enforcement requiring robust age verification for digital platforms.

Where: The exposed database was hosted on Google's Firebase platform and accessible globally without security restrictions. The incident affects users who submitted verification documents to access the women-only dating safety platform.

Why: Tea required users to upload selfies and government identification to verify they were women, claiming to store data "in compliance with law enforcement requirements related to cyber-bullying prevention." However, the company failed to implement basic security measures, leaving sensitive personal data publicly accessible.