Stefano Gazzella : 2 September 2025 07:35
The “Tea Dating Advice” app reported a data breach on July 25, 2025, involving 72,000 images of users registered before February 2024, including 13,000 selfies and documents uploaded for account verification and 59,000 public images from posts, comments, and direct messages.
Security researcher Kasra Rahjerdi later reported that a database containing 1.1 million messages containing identifying information (contacts, social profiles) and conversations from 2023 to the present had also been breached. The company has confirmed the breach of this database as well and is investigating the matter.
The unauthorized access occurred on a legacy data storage system, with direct access via a public URL, which required data retention to fulfill legal obligations regarding the prevention and fight against cyberbullying.
Reading the privacy policy, however, this purpose is not stated but rather it speaks generically of retention “for the time strictly necessary to satisfy a legitimate business interest.”
Finally, large Some of the content appears to have been exposed on 4chan. With all the consequences that this entails.
The app’s virality has led to great success in the United States, so the amount of personal information leaked is particularly significant in both quality and quantity.
The app’s intended use: “an online community for women to support each other and navigate the dating world,” providing support tools and the opportunity to anonymously share experiences to create a safe space online.
The evidence presents a rather bitter truth: the security of that data had not been adequately managed, taking into account the risks and particular sensitivity of the data.
Furthermore, the privacy aspect does not appear to have been addressed optimally. Reading the information, it does not meet the standards of clarity or completeness one would expect from an app that handles such sensitive data.
The time to market for releasing the app’s proposal is understandable. Much less so that a detailed version of the information was published only on August 11, 2025, that is, after the incident. The previous previous, however, had remained unchanged since 28 November 2022.
Nevertheless, data retention times continue to be generic:
4) Data Retention
We endeavor to retain your personal information for as long as your account is active or as needed to provide you the Services, or where we have an ongoing legitimate business need. Additionally, we will retain and use your personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. You can request deletion of your active account via the Tea app by accessing your “Account” under your Profile.
Change the “Security of Your Personal Information” paragraph instead, changing from this form:
The security of your Personal Information is important to us. When you enter sensitive information (such as credit card number) on our Services, we encrypt that information using secure socket layer technology (SSL). Tea Dating Advice takes reasonable security measures to protect your Personal Information to prevent loss, misuse, unauthorized access, disclosure, alteration, and destruction. Please be aware, however, that despite our efforts, no security measures are impenetrable.If you use a password on the Services, you are responsible for keeping it confidential. Do not share it with any other person. If you believe your password has been misused, please notify us immediately.
to this:
Safeguarding personal information is important to us. While no systems, applications, or websites are 100% secure, we take reasonable and appropriate steps to help protect personal information from unauthorized access, use, disclosure, alteration, and destruction. To help us protect personal information, we request that you use a strong password and never disclose your password to anyone or use the same password with other sites or accounts.
Pretty significant change. In short: it makes you think.
The intended use of a technology or its application is a very interesting topic, especially for addressing the issue of its sustainability. In fact, especially in the digital world, everything, if not much, can be done.
But on the one hand, we must ask ourselves not only whether this is “right” (and therefore whether the benefits are offset by the costs), but also whether its use takes into account the elements of privacy and data security protection and is capable of guaranteeing their protection. And so the intended use, however fascinating and virtuous, isn’t necessarily always sustainable or sustainable over time. This is why a process of continuous re-examination is required.
The best purposes, as well as the virtue of intent, are not sufficient to protect data.
Because even the road to data hell is paved with the best intentions.
Stefano Gazzella