Spilled Tea
One of the worst leaks of PII I've ever seen
This isn’t a story about a brilliant hack. It’s a story about a door left wide open, and it should serve as a stark warning to anyone who trusts an app with their personal information.
I want to be very clear about what happened with the Tea app, because calling it a "hack" gives the company too much credit. This was a failure so big, so absurdly basic, that it amounts to one of the most staggering betrayals of user trust I’ve ever seen.
The whole point of Tea was safety. Their own privacy policy stated that the selfies and IDs used for verification would be "deleted immediately."
Tea's original promise: User selfies and IDs would be “deleted immediately” after verification. This claim appears in their privacy policy.
Women handed over their most sensitive identity documents believing that promise. They believed they were paying with their data for a promise of security.
That promise was a lie.
All of it, the licenses, the selfies, the private photos, was stored in what’s called a public storage bucket. Think of it as a folder on the internet with no password, no lock, no protection at all. Anyone who found the link could just walk in and take everything.
And they did. The original thread on 4chan where the leak was first exposed is still online: https://boards.4chan.org//pol/thread/511317913/. (NSFW)
The fallout was immediate and horrifying. Within 24 hours, the data was weaponized. Malicious actors took the home addresses directly from the driver's licenses and plotted them on a custom searchable Google Map.
Within hours, stolen data, home addresses included, was mapped out and circulated online, turning a promised “safe space” into a doxxing directory.
The tool of safety became a doxxing directory.
Websites sprung up where users could rate the stolen selfies. (https://web.archive.org/web/20250727062436/https://spill.info.gf/) The promise of a safe space was twisted into a public spectacle of humiliation, and a direct pipeline to identity theft, doxxing, and real-world physical danger.
Only after the damage was done did Tea release a statement. Suddenly, the data that was supposed to be "deleted immediately" was part of an "archived data system" stored to "meet law enforcement standards."
Tea’s official statement, which was released after the leak, attempts to reframe the story as an “archived data system” compromise, contradicting previous promises of instant deletion.
The numbers are sickening. 13,000 selfies and photo IDs. 59,000 other images from posts and messages. And as if that wasn’t enough, a second, separate database was found exposed with 1.1 million private messages. Conversations about cheating partners, pregnancies, and other deeply personal topics, all laid bare.
This is beyond negligence. It’s a fundamental violation of the contract between an app and its users. Tea built its entire brand on the idea of a secure space, and then failed to implement the most elementary security measures while being dishonest in its own privacy policy.
Don’t let this story just be another headline. Let it be a warning. The apps on your phone are not your friends. The companies that make them are not always careful guardians of your life. They ask for your trust, your face, your identity. Before you give it, you have to understand that sometimes, nobody is bothering to even lock the door behind you.