On July 25th, a data breach of the Tea app exposed more than 72,000 user selfies to anyone on the internet. This alone would’ve made headlines, but this incident is particularly serious from an Operational Security (OPSEC) perspective due to the presence of location metadata in the images.
The Tea app is a social platform where users post anonymous reviews of people they’ve dated or interacted with. It gained popularity quickly, particularly for its focus on gossip and ‘spilling tea’ on the dating pool. This app was only available to women, and in order to verify your gender, users were required to take a selfie during the signup process.
All of these selfies were stored on publicly accessible cloud storage. They were downloaded by an attacker and made public. Just a few hours later, this map was shared on the internet: An interactive map with the locations of thousands of women who had an account on the Tea app.
The drivers licenses leaked today from the tea app have been uploaded to a searchable map.... this may be the worst PII leak I've ever seen lol pic.twitter.com/qz2lzJreYa
— genddy (@ZTobias114838) July 25, 2025
The thing that made this interactive map possible? Metadata.