TeaOnHer, an app designed for men to share photos and information about women they have supposedly dated, has exposed users’ personal information, including government IDs and selfies. The app launched on the Apple App Store earlier this week as a response to another viral app called Tea, which allows women to post about the men they date. Tea is marketed as a women’s safety app with over 6 million users, resembling Facebook groups like “Are we dating the same guy?” However, Tea has faced controversy due to unverified claims posted by users.
The backlash against Tea intensified last week after 404 Media reported that 4chan users retaliated by discovering a publicly exposed database belonging to the app. This breach revealed over 72,000 images, including selfies and photo IDs submitted for account verification. A subsequent hack exposed more than 1 million private messages sent through the app, leading Tea to disable its messaging feature.
TeaOnHer, now ranked No. 2 among Lifestyle apps on iOS, appears to be a direct rebuttal to Tea, even copying language from Tea’s App Store description. However, like the app it mimics, TeaOnHer has significant security flaws. TechCrunch found at least one vulnerability that allows unrestricted access to user data, including usernames, email addresses, driver’s licenses, and selfies. These images are stored on publicly accessible web addresses, meaning anyone with the links can view them.
In one instance, TechCrunch observed posts on TeaOnHer accompanied by users’ email addresses, display names, and self-reported locations. To prevent misuse, TechCrunch is withholding specific details about the vulnerabilities. The app’s developer, Newville Media Corporation, did not respond to requests for comment, leaving TechCrunch to publish this report with limited technical information due to the app’s popularity and associated risks.
The app was uploaded to the iOS App Store by Newville Media Corporation, whose founder and CEO, according to LinkedIn, is Xavier Lampkin. TechCrunch identified at least one TeaOnHer record linked to Lampkin’s own data. The security lapse affects all users who signed up or shared identity documents with the app, exposing approximately 53,000 accounts at the time of publication.
TechCrunch also discovered a potential second security issue involving exposed admin credentials belonging to Lampkin, including an email address and plaintext password. These credentials appear to grant access to the app’s admin panel. While TechCrunch did not use them, the exposure highlights the risks of leaving sensitive login details unprotected.
Beyond security concerns, the content on TeaOnHer is troubling. Although the app requires IDs and selfies for verification—a non-automatic process—users can access a “guest” view without signing in. Upon opening this view, TechCrunch encountered multiple images of the same naked woman posted under different names, likely spam. It is unclear whether the woman consented to these posts. Other posts feature women’s photos and names alongside derogatory comments, labeling them as “easy” or accusing them of spreading sexually transmitted infections.
Despite these issues, TeaOnHer ranks No. 17 among all free apps, surpassing platforms like Instagram, Netflix, Uber, and Spotify. Meanwhile, Tea currently holds the No. 2 spot.