Tea's failure to protect their customers exposes a broader problem. Whether platforms gather data voluntarily or to comply with new safety laws, massive databases of government IDs and biometric data are protected by laughably inadequate security.
“One lump or two?”
The July 2025 Tea App breach exposed 72,000 women's selfies and government IDs, as well as 1.1 million private messages, through an unsecured Firebase storage bucket that required zero authentication to access. While Tea voluntarily collected this verification data for user safety, the catastrophic failure exemplifies a crisis affecting the entire digital ecosystem: platforms consistently lack the technical competence to protect sensitive personal information, regardless of why they're collecting it.
This creates a perverse outcome where attempts to protect users instead expose them to unprecedented risks of blackmail, stalking, financial fraud, and physical harm.
Tea's security infrastructure consisted entirely of default cloud storage settings. Despite marketing itself as the "safest place to spill tea," any teenager with basic technical knowledge could download 59.3GB of government-issued IDs paired with verification selfies by simply finding the URL embedded in Tea's Android app code.
This represents an increasingly common practice across the digital ecosystem – platforms utilising third-party services they don't fully understand.
The 2020 CAM4 breach demonstrates this pattern perfectly. The adult streaming website exposed 10.88 billion records, including names, sexual orientations, payment logs, and device information, through a misconfigured Elasticsearch database left online without password protection. Security researchers found the exposed database by simply discovering it was publicly accessible to anyone with an IP address.
Modern privacy legislation exacerbates this issue by mandating thousands of additional platforms to collect government IDs and biometric data, yet fails to provide meaningful security standards or oversight. When legislators mandate that these same technically incompetent platforms collect the exact type of sensitive data that CAM4 and Tea failed to protect, they essentially guarantee more catastrophic breaches.
Within hours of Tea's discovery on 4chan, the stolen data had spread across hacking forums via BitTorrent and spawned dedicated exploitation websites. A site called "Teaspill" launched an Elo-based ranking system for rating women's leaked selfies, creating "Top 50 Best" and "Top 50 Worst" face rankings. Criminals extracted GPS metadata to create interactive maps plotting victims' home addresses, essentially building a searchable stalker database.
This was nothing new. After CAM4 was breached, security researchers immediately warned that the exposed data created perfect conditions for blackmail and sextortion campaigns, with the Identity Theft Resource Centre noting that criminals could exploit the adult content connection for years to come.
The combination of government identification with biometric data creates what cybersecurity experts call "perfect blackmail material". Permanent vulnerabilities that victims cannot change. The 2015 Ashley Madison breach demonstrates how this plays out in devastating detail.
After hackers exposed 32 million user accounts from the affair website, Toronto police announced that two unconfirmed suicides had been linked to the data breach. But the real horror began years later. In 2020, five years after the original breach, criminals launched a new extortion campaign targeting Ashley Madison victims, demanding $1,000 in Bitcoin and threatening to publicise victims' profiles.
This is why, when Louisiana's age verification law took effect in January 2023, requiring adult websites to verify users' ages through government-issued IDs, Jason Kelley of the Electronic Frontier Foundation warned NPR that it creates the perfect conditions for identity theft and blackmail.
The inevitable result appeared in June 2024 when AU10TIX, a major identity verification company processing documents for platforms such as TikTok, Uber, X, LinkedIn, Coinbase, and PayPal, left login credentials exposed online for more than a year. The credentials appeared on a public Telegram channel in March 2023 and remained active until June 2024, providing access to names, birth dates, nationalities, ID numbers, and images of identity documents.
Rather than learning from these catastrophic failures, governments continue mandating that thousands of platforms collect the exact same type of data that Ashley Madison, CAM4, Equifax, AU10TIX, and Tea failed to protect. Every new platform required to collect government IDs becomes another potential breach waiting to weaponise users' most sensitive information against them.
Rather than mandating more data collection with better security theatre, the solution is obvious: minimise what gets collected in the first place. Age verification could use privacy-preserving techniques that confirm age without storing identity documents. Content moderation could rely on community reporting rather than building surveillance databases. Platform accountability could be achieved through transparency and auditing rather than hoarding personal information that inevitably gets stolen.
The above breaches demonstrate the inevitable consequence of collecting sensitive personal information at scale. The pattern is always the same: platforms promise security they cannot deliver, criminals exploit obvious vulnerabilities, and users face lifelong consequences from data that can never be changed or recalled.
The Ashley Madison victims are still receiving blackmail demands years later. The AU10TIX breach shows that even companies specialised in identity verification cannot protect the data they collect.
Until lawmakers understand that surveillance cannot build safety, breaches like these will continue to transform digital protection tools into weapons against the very people they claim to protect.