Hackers have breached the viral Tea app, leaking tens of thousands of women’s selfies, photo IDs, and private messages online. On Friday, a Tea spokesperson confirmed that roughly 72,000 images were accessed, including 13,000 verification photos and government ID images.

Tea was designed as a women-only platform where users can flag or recommend men, uploading photos and leaving anonymous reviews. To join, users must submit selfies for gender verification, which the app says are deleted after review. Those images are now part of the breach.

The company said the hacker accessed a database from more than two years ago, originally stored “in compliance with law enforcement requirements related to cyberbullying prevention.” Tea said it is working with third-party cybersecurity experts and is “working around the clock to secure our systems.”

A second flaw also exposed more than 1.1 million direct messages, according to 404 Media. Some of the messages contained sensitive personal details that made it easy to identify users. On Monday, Tea confirmed the second breach, stating: “Out of an abundance of caution, we have taken the affected system offline.”

Cybersecurity researcher Kasra Rahjerdi, who discovered the second vulnerability, said others had accessed the exposed database before him, though it’s unclear if it was downloaded. While he had access, he noted, he could have sent push notifications to users.

A 4Chan thread called for a ‘hack and leak’ campaign targeting the app, and on Friday morning, a user posted a link to what they claimed was the stolen image database. Some ID photos have since surfaced on 4Chan and X. A Google Maps page also appeared, allegedly showing coordinates of Tea users impacted by the breach.

Tea says it is contacting affected users and will offer free identity protection services. “Protecting our users’ privacy and data is our highest priority,” the company stated.