If you have been paying attention to your social feeds of late, you may have heard the recent chatter about Tea, an app that functions like Yelp—but instead of rating and reviewing restaurants and stores, women are passing judgment on men they know. The app has been around since 2023, but for reasons I can’t identify, it rocketed to the top of Apple’s App Store chart this week. It was the first I’d heard of it, and I thought it sounded like an awful idea. And today, my instincts have already been proven right—though not in the way I expected.
It seems 4chan and Reddit users have successfully engineered a data breach, obtaining and disseminating user verification images—including photos of driver’s licenses—that were submitted when women signed up for the service. A spokesperson for the app confirmed to me that, “Tea identified unauthorized access to one of [its] systems and immediately launched a full investigation to assess the scope and impact.” The initial results of this effort suggest “the incident involved a legacy data storage system containing information from over two years ago. Approximately 72,000 images—including approximately 13,000 images of selfies and photo identification submitted during account verification and 59,000 images publicly viewable in the app from posts, comments, and direct messages—were accessed without authorization.”
Basically, things escalated very quickly, going from from viral popularity to a hack within days. Regrettably, I already submitted my own verification image, as I’d intended to write about the suddenly everywhere app. While I am technically still writing about it now, I’m annoyed about my possible inclusion in the breach, though it appears more recently-created accounts may be safe (for now).
If this is all news to you, allow me to, as they say, spill the tea.
What is the Tea app?
Tea is an app that was launched two years ago and which went viral this week, becoming the most-downloaded free app on the Apple App Store. Its tagline is “Dating safely for women” and it advertises that users can “run background checks,” “identify potential catfish,” and “verify he’s not a sex offender,” among other things. A notable feature is the ability to assign a given man a red or green flag, the same way you might append a like or laughing emoji to someone’s Facebook status. Per Tea, you should be able to “find verified green flag men” this way, and avoid a red-flag man.
In practice, it works like this: Women log in with anonymous usernames to rate and review men they have interacted with. You can search for a man to see what other women said about their purported experiences with him. The idea is that women can use the service to vet someone before a first date, dig deeper on a man’s background before getting serious, or find out if a boyfriend is cheating. Men are not allowed to register for accounts on the app at all, so they have no input on what is said about themselves or others.
It functions similarly to “Are We Dating the Same Guy?” Facebook groups and forums that have popped up in major cities in recent years, providing another outlet when women can discuss men they’ve dated with some degree of anonymity. I’ve never liked these groups myself, because while I recognize the value in being able to identify abusers, cheaters, and general fraudsters—and personally know women who have used the groups to do just that, including one who received a tip that helped her uncover legal documentation of prior domestic violence accusations against her now-ex—I worry that the lack of anything resembling due process will leave innocent people open to major reputational damage.
I’m not telling victims to remain silent about abuse they’ve suffered, but it’s not hard to imagine a post about an abusive or narcissistic man might have actually been written by a jealous friend, a competitive co-worker, or a jilted (but otherwise unharmed) ex. A disinterest in inadvertently joining a misinformed mob has generally kept me away from those groups, but when I saw people lodging these same complaints about Tea on social media last night, my interested was piqued, which is when I downloaded it to see what the buzz was about.
The data collected, and what we know about the breach
When I tried to create an account, I was first greeted with a screen that let me know the app was totally anonymous and screenshots were impossible. I screenshotted that message to test it out and it appeared blank in my camera roll. (You know all the old wisdom about how if you have to do something in secret, you maybe shouldn’t be doing it? Yeah.)
Next, Tea asked me to prove I was a woman. Ignoring the rigidity of that framing (and the potential implications for LGBTQ+ people) for the moment, I snapped a selfie with the in-app camera. The picture was hideous—I had just finished my weekly at-home facial peel—but that’s what I get for involving myself in this mess. But I digress. (Actually, I don’t: The fact that I’m upset someone may see something unflattering and private about me without my consent kind of underscores the problem with the app’s basic premise.)
As noted, Tea issued a statement to me and our friends over at CNET saying the hacked photos are from a “legacy data system” containing information that is over two years old, and there is “no evidence” to suggest more recent images or information have been leaked. Honestly, that doesn’t make me feel better. The worst-case scenario for me is that the information is wrong and recent verification photos are out there. The best-case scenario is still one where 13,000 other users have had their data exposed. Still, the Tea rep says the app’s developer has “engaged third-party cybersecurity experts” and is working to secure the system.
“Protecting our users’ privacy and data is our highest priority. Tea is taking every necessary step to ensure the security of our platform and prevent further exposure,” she says. “We are committed to transparency and will provide updates as more information becomes available.”
Eventually, after I took my picture, the app told me I could earn free lifetime access by inviting three other women. I sent one invitation to my own phone number and two to friends, following up with a message that said, “Testing for work, disregard.” One of them was curious and downloaded the app. Now she’s worried about the breach, too, and that’s my fault. When you lie down with dogs…
What do you think so far?
I still haven’t gotten to try Tea myself
After sending in my selfie, I was put on a waitlist while, supposedly, someone on the Tea staff verified my photo was, I guess, womanly enough. I remained on that waitlist from 7 p.m. last night until this afternoon, but where there once was a message in my app about waiting for verification, I now just see a spinning loading icon. Though the app is still available for download, my own onboarding seems to have stalled, though I can’t say for certain whether that has anything to do with the data breach. (I’ve asked for clarification and will update this story when I hear back.)
For what it’s worth, at no point was I asked to submit a photo of my government ID, though I’m not sure if that would have been the next step after getting off the selfie waitlist or that level of verification has been phased out in favor of the in-app selfie,. From what I’ve seen on social media, though, there are plenty of Tea users’ ID pictures floating around.
At some point, I may still be able to actually access the app, at which point I will provide an update on what it’s like in there.
I saw disaster coming
While I didn’t necessarily expect a vengeance-fueled data breach by internet reactionaries who took issue with Tea’s raison d’etre, I did anticipate things would not turn out well the minute I saw some viral posts about the app. That’s because, at the risk of outing myself as an elder millennial, I’ve seen this all before. In late 2013, I tried an app called Lulu that served almost the same function. It also initially barred men from access, and actually gave women the opportunity to link a man’s personal Facebook details to his Lulu page without his consent. Where Lulu was a bit girlier and took more delight in gossip, Tea claims to be more focused on safety, but they general gist is similar.
Lulu is offline after a 2016 acquisition that saw the removal of the man-rating feature, followed by its quiet exit from the app store, but the app spent some years undergoing massive retooling in response to the initial criticisms leveled against it. It ultimately granted men access and gave them the ability to opt out of being featured. (Other rate-a-man services have also drawn criticisms: At least one man has sued over his inclusion in an “Are We Dating the Same Guy?” group.)
I think I am so put off by Tea because I actually used Lulu when I was in college. It revealed unsavory and disappointing things about some men in my life—but realistically, I wouldn’t have even downloaded the app if I didn’t already harbor suspicions, so what was the point of invading their privacy just to confirm what I already felt, if not knew? Lulu didn’t allow for detailed comment, but it gave users a variety of coy hashtags to apply to a man, ranging from #GlobeTrotter to #TotalF—ingDickhead. It was unnecessarily vindictive, and what’s worse, I didn’t just use it to assess potential romantic partners; out of curiosity and selfishness, I even invaded the privacy of my platonic male friends, who were horrified to learn (from me) that they had nonconsensual profiles on an app they’d never even heard of. After seeing how violated they felt, I deleted it out of guilt.
Don’t rate people
Any “Yelp for People” concept is always going to be a terrible idea, especially when it’s hamfistedly tied to the archaic idea that dating is nothing more than a confrontational battle of the sexes instead of a good-faith effort to get to know potential partners who could enrich your life while delicately sidestepping those who can’t.
But even as I anticipated disaster, I did not anticipate was how fast Tea would crumble, nor how poetically—though certainly I disagree as (or more) vehemently with the release of women’s driver’s license and verification photos as I do with the anonymous rating of men’s personalities. You could say Tea users got a taste of their own medicine, but it’s medicine no one should have been taking in the first place.