The company behind the popular app Tea Dating Advice, which allows women to anonymously share information about the men they date for safety purposes, confirmed on Friday that 72,000 images — including about 13,000 user images submitted during account verification — were accessed in a data storage breach.
When creating an account on the Tea app, users are asked to submit a selfie to “verify that you are a woman.” The app says photos are deleted following account approval.
Another 59,000 images that were accessed were “publicly viewable in the app from posts, comments and direct messages.” Tea said the breach impacted users who registered before February 2024.
The breach raises privacy and safety questions about sharing selfies on apps and how users can protect themselves.
Rachel Tobac, CEO and co-founder of SocialProof Security, told CNN that while a selfie “by itself is seemingly innocuous,” it could be used to hack bank accounts and other programs when coupled with government-issued identification.
She recommended that Tea users consider freezing their credit, using data brokerage site removal tools, making social media accounts private, using a password manager and multifactor authentication.
Tobac said identity verification or age verification has become increasingly popular but is a risky choice for companies.
“Any information that you collect, you have to protect. And the more information you collect, the more interesting of a target you are for cyber criminals,” Tobac said.
And accepting facial recognition as the norm can also add to the risk of how law enforcement agencies or hackers can use information against consumers, said Albert Fox Cahn, founder and executive director of the Surveillance Technology Oversight Project.
“We all know online dating can be toxic, but the solution isn’t more surveillance,” Cahn said.
Cahn recommended that consumers think twice about sharing data with companies because “opting out is really the best protection we have.”
Tea is hardly the first dating-related service to have a security breach. In February 2014, dating app Tinder was revealed to have a technical issue that could provide the physical location of it users without their consent. In July 2015, the company behind Ashley Madison, a dating site for people interested in cheating on their spouses, said hackers had obtained the personal data of millions of members.
Some companies and governments have taken action. Tinder offers a verification process using government-issued documents. In May, Texas Gov. Greg Abbott signed a law requiring Google and Apple to verify app store users’ ages.
Additional threats from AI-driven attacks
Selfies and images can be a “data goldmine” for artificial intelligence-driven data attacks, said Richard Blech, CEO and co-founder of AI security firm XSOC Corp.
That data could be used to train facial recognition spoofing, biometric bypassing and deepfakes.
Images accessed in a breach could also be used for fraud and other misrepresentations, said Blech.
He said anyone whose images were accessed should be more diligent with their credit reports because biometric data “isn’t going to expire.”
“You’re not getting a new number or changing your password,” Blech said. “There’s going to be action on that stolen information. There’s no question about it.”
For more CNN news and newsletters create an account at CNN.com
