Women-only dating app Tea hacked — only a day after the UK’s Online Safety Act comes into force

US-based safe dating app Tea that allows women to do background checks on men and share red flags with others has experienced a mass data breach, exposing millions of members’ posts, identity documents, and comments.

Tea said that there had been “unauthorized access” to 72,000 images submitted by women. These images included ones collected during the identity verification process — selfies, driving licenses, and passports. Some images included women holding their verification documents, despite the company saying images were “deleted immediately after verification.”

Tea allows women to reverse-image search men to protect them against “catfishing” (where false identities are used) and sex offenders. The app recently surged in popularity — however, some are claiming it is anti-men.
The app also allows women to share “red flags” on men they have dated — and highlight those with “green flags.”

The company has said that the leaked photos cannot be used to identify posts in the app, despite admitting that 59,000 images that included comments and posts submitted within the app had also been leaked. Screenshots are usually blocked in the app to prevent content being shared outside of it. Some have challenged the app, as it could leave men open to harassment or defamation. The app was set up by Sean Cook, a software engineer — who witnessed his mother’s online dating experiences.

So, what does the UK’s new Online Safety Act have to do with this?

The UK’s new Online Safety Act (OSA) was introduced just a day before this hack, on the 25th of July. This new law requires companies that expose people to “potentially harmful content,” such as pornography, eating disorders, and much more (there is a list set out — with both of these being “primary priority content” — GOV.UK), to verify that users are over 18 before viewing the content. The Act says that platforms should use methods such as verification documents or selfies to verify this.

Tea’s breach has shown us how serious these breaches can be. Yes, the OSA protects children from content they shouldn’t see, or that could be harmful. But if you upload your ID or selfie — it can, and at some point, will be exposed to hackers.

Most identity companies say that they don’t retain your verification information — however, Tea also claimed this, and how did that work out? If a password is breached — just reset it. If your ID is breached — you can’t reset that. To make things worse, criminals have already opened fake websites claiming to offer adult content and requesting ID. Instead of allowing you access — they simply take your ID and sell it on the dark web.

Users can bypass the OSA by simply using a VPN — Proton, one of the largest free VPNs — said their signups originating from the United Kingdom surged 1,400% only minutes after the OSA was introduced. In all honesty, if our teens can hack M&S — they surely know how to download and use a VPN — all you need is an email (or in Proton’s case, not even that — you can use it anonymously).

Instead of giving extra funding to our dying NHS — the Government is choosing instead to fund a bill that can be bypassed with three clicks.