5 Crucial Cybersecurity Lessons Drawn from the ‘Tea Hack’ Incident: Strengthen Your Digital Defense Now!

In the digital age, platforms catering to marginalized demographics are increasingly targeted by malicious actors. A recent example is the breach of Tea, a women-only app, which exposed over 72,000 user images including photos from comments, direct messages, and posts on the platform. In response, the app has temporarily disabled its direct messaging feature due to another data breach that compromised private conversations.
Historically, platforms related to dating or relationships have been prime targets for hackers, as they often contain valuable personal data. This was evident in the high-profile Ashley Madison hack of 2015. On such apps, users share photographs and engage in open discussions. If these materials are not adequately secured, they can fall into the wrong hands.
While users are generally not responsible for data breaches, there are online safety lessons that can be gleaned from incidents like the ones mentioned above. Data can be compromised without a user’s direct involvement. For instance, in 2024, hackers stole billions of personal records from National Public Data, a lesser-known data broker that collected personal information on behalf of companies during background checks and fraud prevention. Ultimately, it is the responsibility of app developers and platform owners to ensure customer data is collected and stored securely in accordance with current security standards.
In cases where users have the option to choose which companies can collect and process their personal information, they should exercise caution and disclose as little data as possible. A good way to assess a company’s trustworthiness is to scrutinize its privacy policy and data collection documents.
The policy will detail the types of data the company collects from customers, how it uses that data, and for how long it retains the data. For example, if you notice a section labeled “customer data” or “data collection,” focus on it. Many app policies state that the company collects customer names, email addresses, and phone numbers during the sign-up process. Excessive data collection occurs when an app collects biometric data, keystrokes, clipboard data, photos, videos, or other activity in other apps without user consent and knowledge.
The privacy policy should also outline the security measures implemented to safeguard user data. Look for a section labeled “data retention” or similar. A trustworthy app will delete customer data within a reasonably short time period following account cancellation, typically between six months and one year. If the company’s privacy policy does not specify how long it retains personal data, this raises concerns.
If the desired information cannot be found in the privacy policy, contact the company and ask. While privacy policies can often be dense and tedious, a policy-scanning cheat sheet can help make the process more manageable.
Companies may intentionally craft vague privacy policies to weaken any safety guarantees. For example, as of now, Tea’s privacy policy does not specify how long it retains user data. While a privacy policy is meaningless if a company fails to adhere to its promises, users can request the deletion of their personal data from companies, particularly if they reside in California or the EU. If you are not based in either region, submit a deletion request regardless. Such actions may encourage more companies to strengthen their data protection policies in the future.
For businesses that collect data, it is essential to have robust data collection and retention strategies, with transparency being a key aspect for customers. The developers behind Tea are not unique in their failure to protect customer data; similar incidents have occurred. In 2024, hackers breached the online course of controversial personality Andrew Tate, revealing its “hilariously insecure” data protection measures and exposing the email addresses of approximately 325,000 members.
To learn more about best security practices, consult network security leader CloudFlare’s guide for website owners to fortify their digital defenses or cybersecurity firm CrowdStrike’s app security primer on its website.
Currently, there is little law enforcement can and will do because the United States does not have federal data protection laws for its citizens. Any legislation proposed at that level, such as the American Data Privacy and Protection Act, has yet to pass the congressional floor. California residents are an exception; the state passed the California Consumer Privacy Act (CCPA) in 2018 to grant residents more control over their online data. Residents have a right to know what information a business collects about them and how the business uses that data, and the right to delete their personal data. Californians can also opt out of personal data sales or sharing by businesses.
If you reside outside California, the key to obtaining more data protection may be advocating for it. Contact your elected representative and express your concerns about online privacy and safety. When discussing the state of data protection laws in the U.S. in 2023, I spoke with cybersecurity expert Wade Barisoff, who explained that capitalism is hindering data security in the United States.
“We’ve never really climbed this mountain yet because data is worth money,” said Barisoff. “Google has built its entire empire just on data and understanding what people are doing and selling that. There’s more of a focus on capitalism, and there’s a lot of powerful players here in the US that basically made their entire company off of private data.”
Once your data is out of your hands—whether it’s a selfie uploaded to the Tea app or even your name and address entered on an e-commerce site’s checkout form—you have minimal control over where it goes next. This information could be sold to a research firm, end up on the dark web, or fall into other malicious hands.
Take control of your data by requesting data deletion after you stop using an app or online service. You can also give away less information online by refraining from oversharing in messages or photos that you post on social media, using fake information when filling out web forms, or leaving some forms blank.