Driven by creativity and powered by technology, we turn ideas into impactful results. Our focus is centred around the integration of three pillars - Design, Build & Reach.
Dev projects Completed
Users Reached
Pieces of content delivered
Webflow Premium Partners in Africa
See out full portfolio of work
Driven by creativity and powered by technology, we turn ideas into impactful results. Our focus is centred around the integration of three pillars - Design, Build & Reach.
Dev projects Completed
Users Reached
Pieces of content delivered
Webflow Premium Partners in Africa
See out full portfolio of work
Tea was built around the promise of protecting women's safety. It failed at the most basic level: it couldn't protect their data. The breach wasn't inevitable. It was the result of decisions made during development that prioritised speed over security.
June 30, 2026
In late July 2025, a women's dating safety app called Tea made global headlines, not for a milestone, but for one of the most damaging data breaches in recent memory. It's a useful case study for any business that collects personal information through its website or app.
Tea is a US-based app that lets women anonymously share information and warnings about men they've dated. Its entire value proposition rested on trust: users were required to verify their identity by submitting a selfie and a government-issued ID.
On 25 July 2025, TechCrunch confirmed that an anonymous post on the message board 4chan revealed Tea had been storing user verification images in an unsecured Google Firebase cloud storage bucket, openly accessible without any password or authentication. Read TechCrunch's original report here.
Tea confirmed the breach the same day. The exposed archive contained approximately 72,000 images: 13,000 selfies and government-issued ID photos submitted for verification, and 59,000 images from user posts, comments, and direct messages.
Days later, a separate vulnerability exposed a database containing more than 1.1 million private messages dating back to early 2023, covering deeply personal topics including infidelity, abortion, and domestic abuse.
NBC News and NPR both independently confirmed the scope of the breach and the company's official statements. Read NBC News' coverage here and NPR's coverage here.
Tea's own privacy policy at the time stated that verification photos were “securely processed and stored only temporarily and will be deleted immediately following the completion of the verification process.” The breach revealed that data from before February 2024 had not been deleted at all.
Class action lawsuits followed within days. By early August 2025, ten separate class actions had been filed in US courts.
This wasn't a sophisticated attack. No encryption was cracked, no zero-day was exploited. The breach happened because of a basic, entirely preventable configuration error.
Unauthenticated cloud storage. The Firebase bucket holding verification images was left publicly accessible, with directory listing enabled, meaning anyone with the link could browse and download its entire contents.
Legacy data is never decommissioned. Tea migrated to a more secure infrastructure in early 2024 but failed to wipe the old system. Data users believed had been deleted was sitting, unprotected, in a forgotten environment.
Exposed access credentials. The second breach, exposing 1.1 million private messages, was traced to an authenticated API endpoint that didn't properly verify who was making the request, allowing any logged-in user to query other users' message data.
CNN Business spoke to cybersecurity experts about the breach's implications, including the risk that leaked selfies and ID photos can be used to train facial recognition spoofing and deepfake systems.
Read CNN Business' coverage here.
The Tea breach is a high-profile illustration of a documented industry-wide pattern. Veracode's 2025 GenAI Code Security Report, discussed in detail elsewhere on our site, found that AI-generated code introduces security vulnerabilities in 45% of tests across major languages. Apiiro's analysis of Fortune 50 production repositories found a 40% increase in exposed credentials, the exact category of failure that compounded Tea's second breach.
None of this means AI caused the Tea breach specifically. What it means is that the underlying causes, unauthenticated storage, unmanaged legacy systems, and exposed credentials, are now measurably more common across the industry as development speed increases without proportional security review.
If your website or app collects personal information from users, including names, contact details, or payment information, this isn't a problem that only applies to consumer apps in the United States.
South Africa's Protection of Personal Information Act, POPIA, requires under Section 19 that every responsible party take “appropriate, reasonable, technical and organisational measures” to prevent the loss, damage, or unauthorised access of personal information, and to regularly verify that those safeguards remain effective. The Act is administered by South Africa's Information Regulator. View the Information Regulator's official POPIA guidance here.
An unsecured storage bucket or an exposed API endpoint is not a reasonable measure. It's the absence of one. Under POPIA, the Information Regulator has the power to issue enforcement and compliance notices, and penalties for serious non-compliance can include fines of up to R10 million or imprisonment of up to 10 years for the individuals responsible, alongside the civil liability and reputational damage that follows any public breach.
Engaging a professional development agency isn't just about getting a website built. It's acquiring a technical safety net against the exact categories of failure that caused the Tea breach.
Tea was built around the promise of protecting women's safety. It failed at the most basic level: it couldn't protect their data. The breach wasn't inevitable. It was the result of decisions made during development that prioritised speed over security.
That's a trade-off businesses make every time they choose the fastest, cheapest path to launch over one that's been properly built and reviewed.
Ha A (2025), Dating safety app Tea breached, exposing 72,000 user images, TechCrunch, 26th July 2025, Available at: https://techcrunch.com/2025/07/26/dating-safety-app-tea-breached-exposing-72000-user-images/ (accessed: 30th June 2026).
CNN Business (2025), Here's what cybersecurity experts think about Tea's data breach, CNN, 26th July 2025, Available at: https://edition.cnn.com/2025/07/26/business/tea-data-breach-user-selfies (accessed: 30th June 2026).
Collier K and Yang A (2025), Hackers leak 13,000 user photos and IDs from the Tea app, designed as a women's safe space, NBC News, 25th July 2025, Available at: https://www.nbcnews.com/tech/social-media/tea-app-hacked-13000-photos-leaked-4chan-call-action-rcna221139 (accessed: 30th June 2026).
Wise A (2025), Tea encouraged its users to spill. Then the app's data got leaked, NPR, 2nd August 2025, Available at: https://www.npr.org/2025/08/02/nx-s1-5483886/tea-app-breach-hacked-whisper-networks (accessed: 30th June 2026).
American Bar Association (2025), Cloud misconfiguration and the private right of action: a technical and legal analysis of the Tea app data breach, American Bar Association, 2025, Available at: https://www.americanbar.org/groups/intellectual_property_law/resources/newsletters/cloud-misconfiguration-private-right-of-action-tea-app-data-breach/ (accessed: 30th June 2026).
Information Regulator South Africa (n.d.), POPIA, Information Regulator South Africa, Available at: https://inforegulator.org.za/popia/ (accessed: 30th June 2026).
Veracode (2025), 2025 GenAI Code Security Report, Veracode, 2025, Available at: https://www.veracode.com/resources/analyst-reports/2025-genai-code-security-report/ (accessed: 30th June 2026).
