Tea, a viral dating advice app, suffered a major data leak, exposing 72,000 user images as well as direct messages. According to reports, the app itself left a Firebase storage bucket publicly accessible, with no authentication, encryption, or access controls — meaning anyone with the URL could access all the data.

Tea had already drawn scrutiny for potentially violating the privacy of the men talked about on the site, as well as the risk of it being used as a “man‑shaming” or vigilante‑justice platform.

In its marketing, the app claims to help women spot “red flags,” get anonymous advice, run background checks, and conduct sex offender searches. However, it also allows users to share actual pictures of men as well as divulge their personal information.

Now, in a span of just a week, the app has been the subject of at least two leaks. The breach first came to light when users from the 4chan forum started posting about an exposed database hosted on Firebase. Immediately, others started pilfering through the data, publicly posting photos, message contents, and more on the internet.

As one 4chan user put it, “Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It’s a public bucket.”

Claiming to have over 4 million users, Tea briefly hit the #1 downloaded free app on the Apple App Store and had over 100,000 downloads on the Google Play Store. While it remains online, a spokesperson told CBS MoneyWatch that “Out of an abundance of caution, we have taken the affected system offline.”

Tea also told 404 Media that it’s launching a “full investigation” into the matter with the help of a third-party cybersecurity firm and law enforcement.

Of the 72,000 images, roughly 13,000 were of selfies or photo identification used for account verification (such as driver’s licenses). The balance was derived from direct messages or posts and comments that were publicly viewable on the app. 404 Media also reported that hackers may now have access to 1.1 million messages, some of which are from recent conversations regarding sensitive topics such as infidelity, abortion, and personal contact details.

The incident exposes the risks of using apps that collect a broad range of sensitive data and require extensive permissions, especially in light of new photo-ID verification requirements like those in the UK. While it didn’t play a role in this incident, mobile apps are also being increasingly used to spread malware, heightening the need for caution.