How Not to Spill the Tea: A Real-World App Security Lesson
Tea, a women-only dating advice app, was built on a simple idea: users anonymously review and share notes about men they dated, from charming quirks to serious red flags. The app marketed itself as a digital whisper network, a place to trade wisdom and warnings in a way that felt empowering and communal.
However, beneath the sleek branding and viral buzz, Tea had the unmistakable fingerprints of a first-time coder: patchwork features, inconsistent performance, and a backend architecture that seemed cobbled together with more enthusiasm than expertise. Those poor decisions inevitably came back to haunt them.
The First Breach
The first breach occurred in late July 2025, when hackers gained access to a legacy Google Firebase storage bucket that was overlooked during Tea's migration to more secure infrastructure. This unsecured bucket contained over 72,000 images, including 13,000 photos of users holding government-issued ID cards (part of Tea's early verification process) and 59,000 other images from posts, private messages, and .
Although the company had since moved to stricter authentication systems, the legacy data remained exposed and accessible to attackers, who swiftly dumped the content online. The second breach was even more damaging.
The Second Breach
Just days later, over 1.1 million private messages exchanged between Tea users from February 2023 to July 2025 were leaked. These messages were meant to be confidential, often containing deeply personal accounts of relationships, trauma, abuse, and intimate experiences.
Many of them included names, phone numbers, and specific meeting locations, making it possible to identify not only the men discussed but also the women who submitted the reports. Although Tea claimed that core contact data like emails and phone numbers weren’t part of the leak, the content of the messages themselves often included that information, voluntarily shared between users.
What Went Wrong
The breaches at Tea were not the result of sophisticated cyberattacks — they were the consequence of painfully basic security oversights: providing direct unauthenticated access from the client to the data on the back end.
This beginner-level mistake was made by including the Google cloud access key in the environment files for the app. This was a cardinal error, as nothing that runs on the client should ever have direct access to the data storage.
What Could Have Been Done
A more secure design would have placed the legacy storage bucket behind a tightly controlled backend API, with authentication and authorization handled server-side, to ensure that only validated and rate-limited requests could access specific resources.
No user, and certainly no app front end, should ever have had unrestricted access to raw storage. Thorough testing should have caught these vulnerabilities long before they reached production.
Testing is Key
Security testing, especially around data access, storage permissions, and API boundaries, is a critical part of responsible development, not an afterthought. Proper test protocols and tools would have flagged the exposure of sensitive credentials, the misconfiguration of public storage buckets, and the absence of access controls.
The Importance of Secure Development Practices
Security is not a destination; it's a process that needs to constantly evolve with your application. Entry-level security checklists warn against such mistakes, but they are often ignored or overlooked due to inexperience and a lack of secure development practices.
A Lesson Learned
The breaches at Tea serve as a cautionary tale for app developers: basic security oversights can have catastrophic consequences. It's essential to prioritize secure development practices, including the principle of least access, keeping credentials out of the code, securing all infrastructure, and thorough testing.