Introduction
The Tea App, a woman-only dating safety platform, was hacked on July 25, 2025, resulting in a major data breach. The incident has exposed about 72,000 user images, which included sensitive photos such as selfies and government IDs. The news came shortly after the app topped the Apple App Store charts this week, gaining nearly a million new signups.
The signup process requires a person to verify that they are women. It requires users to take selfies, which, according to the app, are deleted after review. The hackers breached an old database. “The data was originally stored in compliance with law enforcement requirements related to cyberbullying prevention”, informed the Tea spokesperson to NBC News.
Key information about the breach
- All the data of users who signed up for Tea after February 2024 is secure.
- 13000 images of selfies and other verification images, such as government IDs, have been exposed.
- Other images exposed consist of 59000 publicly viewable images from posts, comments and direct messages.
- Photos accessed cannot be used to link posts within Tea.
- Direct messages from February 2023 through July 2025 were accessible.
Reportedly, Tea’s app data was accessible using Firebase, an app development platform. The platform was used to store the app’s data but was not secured sufficiently, underscoring the importance of securing legacy systems. These have become nodes of attack for hackers to access user data frequently, owing to the lack of security measures deployed to secure them.
Public response to TEA
Tea is a fast-growing app that gained popularity as a virtual whisper network for women. It allows women to share information about men they have dated and participate in anonymous discussions to describe specific men as a “red flag” or “green flag”, while sharing other information about them.
The app generated anger among men, who prompted a “hack and leak” campaign. According to NBC News a message board, 4Chan posted a link seemingly allowing people to download the database of stolen images. Troves of alleged victims’ identification photos have been posted on 4Chan and X. The incident has raised ongoing concerns about the security of personal data shared with dating and vetting apps. Serious issues arise with apps handling sensitive documents such as government IDs.
Company response to the breach
Tea has taken the affected system offline as a safety measure. The company also announced on X, formerly Twitter, that they have hired third-party cybersecurity experts working actively with the Federal Bureau of Investigation (FBI). The team is working round the clock to secure the system. They have emphasised that safeguarding users’ safety and privacy is their top priority and have claimed no evidence of any additional data being accessed currently.
Tea is in the process of identifying individuals who were affected by the breach and will be offering free identity protection services to those individuals.
Stay informed about important cyberbreaches affecting your security over the internet with Tsaaro Consulting. Visit www.tsaaro.com.
Source- Tea app hacked: 13,000 photos leaked after 4chan call to action
News of the Week
- Draft Digital Personal Data Protection Rules, 2025 received 6,915 Inputs from citizens and Stakeholders.
The Draft Digital Personal Data Protection (DPDP) Rules, 2025, which aim to implement the Digital Personal Data Protection Act, 2023, have received 6,915 inputs from citizens and stakeholders during a public consultation process. The official notification posted by the Ministry of Electronics and IT was issued on 26 July 2025. The draft rules were released for consultation in January 2025, open to suggestions up to mid-February. Stakeholders, including individuals, businesses, government bodies, and civil society, have submitted suggestions for the upcoming rules. This extensive feedback reflects public engagement and interest in shaping how India’s data privacy regime should function.
Source- Press Release:Press Information Bureau
- IRDAI fines Star Health Insurance ₹3.39 Cr. for cybersecurity lapses.
The Insurance Regulatory and Development Authority of India (IRDAI) has imposed a penalty of ₹3.39crore on Star Health and Allied Insurance for violating the IRDAI Information & Cyber Security Guidelines, 2023. Star Health, in a regulatory filing, clarified that the breach in compliance was related to certain aspects of data protection and cybersecurity. The company highlighted that the impact is limited strictly to the penalty amount and does not affect its ongoing business operations. Notably, Star Health experienced a cyberattack in October 2024, during which customer data was compromised. The present penalty is seen as part of the IRDAI’s response to such incidents.
- Google issued a warning to 1.8 billion Gmail users at risk.
Google has issued a critical warning to its 1.8 billion Gmail users about a sophisticated scam exploiting its Gemini AI-powered email features. Mozilla’s 0Din security researchers revealed the exploit, and Google has acknowledged the issue. At the same time, Google is working on a fix, it has begun deploying new protections. Google highlighted that real security notifications will never ask users for credentials or direct them to call support through Gemini summaries. This Google incident exemplifies the heightened risk of AI-driven phishing attacks and the need for users to be informed and vigilant.
- Parliamentary panel flags privacy concerns in telecom cyber security norms and urges DoT to fine-tune it.
The concerns center on the Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 and Telecommunications (Telecom Cyber Security) Rules, 2024, which contain provisions allowing the government to collect “traffic data and any other data”. It has caught attention due to the usage of vague terms. The panel described the phrase “traffic data and any other data” as overly broad and open to the potential for privacy violations. They emphasised that provision for collection of “any other data” lacks clear limits or definitions, raising the risk of unnecessary or excessive data gathering that could infringe on user privacy. The panel has asked DoT to define what types of data can be collected explicitly. The intervention highlights the need for more precise language and stronger privacy safeguards in India’s telecom cyber regulations.
- Comprehensive Cyber Security Audit Policy Guidelines issued by CERT-In.
On July 25, 2025, the Comprehensive Cyber Security Audit Policy Guidelines were issued by the Indian Computer Emergency Response Team (CERT-In). The guidelines provide a standardized, mandatory framework for cybersecurity audits across government, critical infrastructure, and other entities using CERT-In empaneled auditors. It compels organizations to modernize, automate audit readiness, and view compliance as a strategic advantage rather than a regulatory hurdle. The policy is a significant move toward a risk-based and independent cybersecurity audit ecosystem.
