This past summer, Tea, one of the fastest-growing dating apps globally, publicly disclosed a security incident involving exposed user data and internal application files.
Quick Summary – TLDR:
- A misconfigured cloud storage bucket exposed tens of thousands of user images and internal app files.
- Researchers claim the exposure also included over 1 million private messages, contradicting Tea’s initial statement.
- The incident highlights ongoing gaps in application security, including access control, monitoring, and secret handling.
- Misconfigurations now cause more app breaches than advanced exploits.
What Happened?
In July, popular dating app Tea confirmed a major data exposure after researchers found a publicly accessible Google Firebase cloud storage bucket containing sensitive user content and internal files, sharing these findings on 4chan forums.
The exposed data included around 72,000 images, including ID verification selfies and photos from posts and messages, along with plaintext secrets and config files. Tea insisted that no email addresses or phone numbers were leaked, but researchers say the bucket also held more than 1 million private messages dating back to 2023, significantly widening the impact.
Who Discovered the Exposure?
The exposure was discovered by independent security researchers performing internet-wide scanning for exposed assets, meaning that Tea had no visibility into how long the bucket was exposed or who may have accessed it beforehand.
Timeline of events:
- Mid-July 2025: Independent researchers discover a publicly exposed Tea cloud bucket during routine internet-wide scanning.
- July 20-22, 2025: Researchers notify Tea and attempt coordinated disclosure.
- July 22, 2025: Tea revokes public access, removes exposed secrets, and begins an internal investigation.
- July 27, 2025: The company publishes an official statement confirming the incident and initiates mandatory notifications.
Multiple Security Failures Left the App Exposed
Several security gaps contributed to the magnitude of this incident. The main one is definitely the publicly accessible cloud storage bucket that allowed anyone to view or download sensitive files. The level of sensitive data the bucket held is even more concerning. It included everything from ID selfies and personal messages to internal config files and plaintext tokens.
And lastly, the company had no idea the bucket was public, nor did they have any alert system to notify them about unusual access or permission changes.
The Tea Breach Signals a Bigger Problem
The Tea incident highlights a broader issue with application security, where more breaches come from misconfigurations rather than some advanced exploit.
Throughout 2025, incidents involving Salesforce, Oracle, and other major platforms all had the same root cause: misconfigured cloud assets that were never meant to be public.
Response from the Company
Tea was quick to react following the notification they received from security researchers. They restricted access to the bucket, revoked the exposed secrets, and notified the relevant regulators.
However, their claim that there is no evidence of malicious exploitation is impossible to verify, as they had no insight into who, when, or for how long had accessed the bucket. Criminals scan for these things every day, so it’s very likely that someone saw the data before the researchers.
Application Security Lessons from the Tea Breach
The Tea incident shows how easily modern apps can expose user data without basic security hygiene. Strong IAM controls, secrets management, and strict bucket permissions are security 101, yet many fast-growing apps overlook them.
Continuous monitoring is equally important. Real-time logging and anomaly detection is not difficult to set up and can easily flag most misconfigurations. These simple controls are all that most apps will ever need to prevent a disaster like Tea’s.
SQ Magazine Takeaway
The Tea incident is a poignant case study for how not to handle cloud assets in a modern application environment. Simple negligence can make years of sensitive data go wide open to the internet. Credit goes to the independent researchers who uncovered the exposure, but app owners shouldn’t be relying on outsiders to catch their misconfigurations. Basic cyber hygiene and security posture management (ASPM) must become the bare minimum if you don’t want to make the headlines for all the wrong reasons.
