Two apps that claim to help users date safely by sharing information about abusive or dishonest ex-partners have rocketed to the top of Apple's U.S. app store rankings.
But as it turns out, both apps suffered from serious security flaws that exposed thousands of users' personal data to the internet.
Tea, which became the number one most downloaded app on iPhone in July after going viral, lets women anonymously review men they've dated and bills itself as "the safest place to spill tea".
Last week it was joined at the top of the charts by TeaOnHer, a copycat app that offers to "help men date safe" with "verified reports" about "red flags, safety concerns, and positive experiences".
As of the time of publishing, TeaOnHer was the second most downloaded free app on the U.S. iPhone App Store, while Tea was the third.
Now both apps are facing potential class action lawsuits after hackers and tech journalists discovered that they were spilling a different kind of tea: leaking users' ID documents, selfies, and in some cases emails and private messages.
Tea rapidly took action to close the breach — but not before numerous angry (and seemingly mostly male) internet users gleefully downloaded and shared photos and ID documents from women who had used the app, according to 404 Media.
Meanwhile, one week after TeaOnHer's breach was discovered by TechCrunch, the issue finally appears to have been fixed. But the company behind it has offered no public comment, nor any indication that it has notified users about their drivers’ licenses being leaked.
The company behind TeaOnHer also appears to have little web presence, and questions from The Independent to its only publicly accessible email address resulted in an automated bounceback.
"It turns out that the kind of people who write and launch an app in less than two weeks are not the kind of people who feel the need to implement secure coding practices and strong privacy protections for the sensitive user data they ask you to upload," said Eva Galperin, director of cybersecurity at the privacy-focused Electronic Frontier Foundation, on Bluesky.
The breaches shine a light not only on the dysfunctions of modern dating — and people's hunger for a solution — but also on the ethical quandaries of naming and shaming individual exes online.
‘Are men not allowed to protect their reputations and stay safe too?’
Tea was first launched in 2023, apparently inspired by "Are We Dating the Same Guy" Facebook groups, which serve as an informal (and sometimes controversial) whisper networks about shady and abusive behavior.
"Founder Sean Cook launched Tea after witnessing his mother’s terrifying experience with online dating — not only being catfished but unknowingly engaging with men who had criminal records," the app's about page reads.
As well as user testimonials, the app allows users to run background checks, check criminal records, and search for sex offenders near them. All posts are anonymous, but the app asks users to take a selfie to prove they are a woman, and in the past has asked for photo ID to verify their identity.
"I once had a sexual assault happen when I was younger, and if there had been an app like this I think he would have a lot less victims," wrote one reviewer on Apple's app store.
Another claimed that, within a day or two of using the app, she found evidence that a man she was courting was actually already married, leading her to confront him and then dump him.
Men who gave positive reviews to much newer TeaOnHer protested that they too need protection from and foreknowledge of unscrupulous dates.
"For weeks, women laughed while men were talked about anonymously — true or not — some lied on, and dragged online. But now that the tables are turning, suddenly it's uncomfortable?" wrote one.
"Are men not allowed to protect their reputations and stay safe too? Are men the only abusers/liars/cheaters?"
But other reviewers expressed alarm at what they found on the app, describing posts more focused on exposing women's sexual pasts than on genuine safety issues. "This isn't accountability, this is misogyny under the guise of concern," said one.
‘Under ten minutes’ to steal users’ ID cards
When Tea's data breach was revealed, the app's operators said it had fixed the issue and that it had only affected users who joined before February 2024. Then came a second breach, affecting more recent material and forcing Tea to shut down its direct message function.
The people behind TeaOnHer, however, have said nothing. Its maker Newville Media Corporation has no currently functioning website, and neither the company nor its CEO Xavier Lampkin responded to messages from The Independent.
TeaOnHer’s security was particularly lax. According to TechCrunch, it took less than ten minutes and only “trivial” effort to access driver’s licenses and email addresses, with no password or credentials required.
The app requires all users to submit government ID verification, but its App Store page falsely claims not to collect any data from users
Apple's rules say that app makers must identify all the data they collect on their App Store page, unless it meets certain exception criteria.
The Independent has asked Apple for comment.
Comments