Spilled Tea: How TeaOnHer Left Users’ IDs Wide Open
True to the egalitarianism of 2025, the TeaOnHer app (an app for men) has experienced a data incident similar to that of its counterpart app for female users, Tea. Soon after news broke that Tea had exposed the data of its users, Zack Whittaker, security editor at TechCrunch, wrote an expose describing how he easily searched for and found user data that TeaOnHer seems to have left public. This breach should be a warning to all policy makers and pundits about government plans to mandate age verification.
Here are some of the highlights:
The API documentation also featured the ability to query the TeaOnHer API and return user data, essentially letting us retrieve data from the app’s backend server and display it in our browser.
While it’s not uncommon for developers to publish their API documentation, the problem here was that some API requests could be made without any authentication — no passwords or credentials were needed to return information from the TeaOnHer database. In other words, you could run commands on the API to access users’ private data that should not have been accessible to a user of the app, let alone anyone on the internet.
All of this was conveniently and publicly documented for anyone to see.
Requesting a list of users currently in the TeaOnHer identity verification queue, for example — no more than pressing a button on the API page, nothing fancy here — would return dozens of account records on people who had recently signed up to TeaOnHer.
The records returned from TeaOnHer’s server contained users’ unique identifiers within the app (essentially a string of random letters and numbers), their public profile screen name, and self-reported age and location, along with their private email address. The records also included web address links containing photos of the users’ driver’s licenses and corresponding selfies.
Worse, these photos of driver’s licenses, government-issued IDs, and selfies were stored in an Amazon-hosted S3 cloud server set as publicly accessible to anyone with their web addresses. This public setting lets anyone with a link to someone’s identity documents open the files from anywhere with no restrictions.
With that unique user identifier, we could also use the API page to directly look up individual users’ records, which would return their account data and any of their associated identity documents. With uninhibited access to the API, a malicious user could have scraped huge amounts of user data from the app, much like what happened with the Tea app to begin with.
From bean to cup, that was about 10 minutes…
The TeaOnHer saga demonstrates one of the fundamental realities of cybersecurity and online privacy. Whenever large amounts of user data are aggregated in databases, there is a risk of hacks, data breaches, or similar incidents. Humans are prone to error, and website and app proprietors are no exceptions. That means that flaws in security infrastructure are, to a large degree, inevitable.
For policy makers, the lesson is that policies — such as age verification — that require users to aggregate tremendous amounts of sensitive personal data should be avoided. Whatever the foreseen benefits of such policies, the second-order effects are very dangerous to users’ privacy and cybersecurity. In the digital world, privacy and cybersecurity must be top priorities.
Published on August 22, 2025