Two major security vulnerabilities in the Tea app – which claims to make dating safer for women – have exposed the private chats and personal data of at least tens of thousands of users. The app, designed to allow women to share “red flags” for men they had dated, claimed four million active users after it hit the top slot in the App Store last week … The Tea app allows female users to tag men’s dating profiles with one of a number of “red flags,” as well as allowing reverse image searches to identify the men behind the profiles. Red flags range from ghosting contacts through being in an existing relationship to sexual assault. The app was already proving controversial on privacy grounds, with some men saying it was unreasonable to link their profiles to their social media and more, but that was just the start. The first Tea app security breach 404 Media last week reported that 4chan users discovered an exposed database containing personal data, including selfies and images of driver’s licenses used to verify their identity to the app. Users say they are rifling through peoples’ personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media. In a statement to 404 Media, Tea confirmed the breach also impacted some direct messages but said that the data is from two years ago. This is despite the developer claiming that identity documents are deleted after verification. But it got worse However, the claim that the data was two years’ old didn’t last long. In a follow-up report, 404 Media said that hackers were able to access private messages between users – with data as recent as one week ago. A second, major security issue with women’s dating safety app Tea has exposed much more user data than the first breach we first reported last week , with an independent security researcher now finding it was possible for hackers to access messages between users discussing abortions, cheating partners, and phone numbers they sent to one another. Despite Tea’s initial statement that “the incident involved a legacy data storage system containing information from over two years ago,” the second issue impacting a separate database is much more recent, affecting messages up until last week, according to the researcher’s findings that 404 Media verified. The researcher said they also found the ability to send a push notification to all of Tea’s users. While the chats were associated with usernames rather than actual names, the site found that the content of the chats meant it was often trivial to identify the account holders. Female users had frequently shared social media links with each other, for example. Similarly, it was just as easy to identify the male account holders accused of wrong-doing. The reports say that more than 70,000 images have been exposed, but this may just be the tip of the iceberg given the company said it had 1.6M users before the first breach was discovered. 9to5Mac’s Take Selfies and photo ID used to verify identities should never be retained once the process is complete, and private chats between users should be protected by end-to-end encryption. That neither of these basic security measures were followed would be of concern in any app, let alone one that claims to protect women, and which actively encourages the sharing of the most sensitive personal data. It’s also somewhat ironic this happened the week UK law demands that tech companies provide the UK government with backdoor access into private messages. Highlighted accessories Photo by charlesdeluvio on Unsplash