Platforms for marginalized people are frequent targets for bad actors. In a recent incident, hackers breached the user databases for Tea, a women-only app that required selfies or photo ID for account verification. The hackers accessed 72,000 images, including photos from users’ comments, direct messages, and posts on the platform. Earlier this week, the app announced it was turning off direct messages after a second breach exposed users’ private conversations.
Platforms related to dating or relationships have been treasure troves of valuable data for hackers for many years. After all, one of the first big dating platform hacks that made headlines was Ashley Madison in 2015. On Tea and similar apps, people upload pictures of themselves and chat freely. If those materials aren’t secured properly, they’re liable to fall into the wrong hands.
The user is rarely at fault for data breaches. That said, there are online safety lessons everyone can learn from data breaches like the ones listed above.
1. Online Privacy and Safety Are Never Guaranteed
You don’t have to be the one to give away your data for it to be compromised. For example, in 2024, hackers stole billions of personal records from National Public Data, a little-known data broker that collects personal information on behalf of companies while performing background checks or fraud prevention. Ultimately, it’s up to app developers and platform owners to ensure that customer data is collected and stored in a way that meets current security standards.
In cases where you can choose which companies are worthy of collecting and processing your personal information, be selective, and give away as little data as possible. A good way to determine whether a company is worthy of your trust is to skim the privacy policy and data collection documents.
2. Always Read the Privacy Policy
The policy will tell you what types of data the company collects from customers, how it uses that data, and how long it keeps the data. For example, if you see a section labeled “customer data” or “data collection,” zero in on it. Many app policies state that the company collects customer names, email addresses, and phone numbers provided during the sign-up process. Excessive data collection is when an app collects your biometric data, keystrokes, clipboard data, photos, videos, or other activity in other apps without your consent and knowledge.
The privacy policy should also state how the company is securing your data. Look for a section labeled “data retention” or something similar. An app with a good policy will delete customer data after a fairly short time period after you’ve cancelled your account, usually between six months and one year. If the company’s privacy policy doesn’t mention how long it holds on to your personal data, that’s not good.
If you can’t find any of the information above in the privacy policy, email the company and ask. I know privacy policies are usually pretty dense and boring, so I created a policy-scanning cheat sheet to make the process easier.
Sometimes, companies make privacy policies intentionally vague, which waters down any safety guarantees. For example, in the current version of Tea’s privacy policy, the company does not specify how long it stores your data:
(Credit: Tea/PCMag)
Of course, a privacy policy is meaningless if a company doesn’t keep the promises made in the document. If you are worried that an app is mishandling or misusing your data, consider writing an email requesting that the company delete your personal data. If you’re a California resident or an EU citizen, the company will do it. If you don’t live in either of those places, send a deletion request anyway. Your actions may make more companies change their policies to better protect personal data in the future.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
3. Technology Evolves Fast—and So Do Criminals
If you own or maintain an app or website that collects data, you’re responsible for keeping your community or customers’ data safe. You should have a robust data collection and retention strategy, and that strategy should be (where allowable) transparent with your customers.
The people behind Tea aren’t the first app developers to fail to protect customers, and they won’t be the last. For example, in 2024, hackers breached controversial online personality Andrew Tate’s online course, exposing the website’s “hilariously insecure” data protection measures and email addresses for approximately 325,000 members.
To find out more about best security practices, check out network security giant CloudFlare’s guide for website owners to shore up their digital defenses. Cybersecurity firm CrowdStrike offers an app security primer on its website, too.
Recommended by Our Editors
4. On the Internet, No One Will Rescue You
There’s little law enforcement can and will do because the United States does not have federal data protection laws for its citizens. Any laws that have been proposed at that level, such as the American Data Privacy and Protection Act, have not made it past the congressional floor.
As mentioned above, California residents are exceptions; the state passed the California Consumer Privacy Act (CCPA) in 2018 to give residents a lot more control over their personal data online. Residents have a right to know what information a business collects about them and how the business uses that data, and the right to delete their personal data. Californians can also opt out of personal data sales or sharing by businesses.
If you don’t live in California, the key to getting more data protection may be asking for it. Call your elected representative, and make it clear that online privacy and safety are important to you. When I wrote about the state of data protection laws in the US in 2023, I spoke to Wade Barisoff, a cybersecurity expert, who told me that capitalism is holding back data security in the United States.
“We’ve never really climbed this mountain yet because data is worth money,” said Barisoff. “Google has built its entire empire just on data and understanding what people are doing and selling that. There’s more of a focus on capitalism, and there’s a lot of powerful players here in the US that basically made their entire company off of private data.”
5. Always Ask: Who Has My Data? Where Is It Going?
Once your data is out of your hands, whether it’s a selfie uploaded to the Tea app or even your name and address entered on an e-commerce site’s checkout form, you have very little control over where it goes next. That information could be sold to a research firm. It could also end up on the dark web.
Take control of your data by requesting data deletion after you stop using an app or other online service. You can also give away less information online by refraining from oversharing in messages or photos that you post on social media, using fake information when filling in web forms, or leaving some forms blank.
About Kim Key
Senior Writer, Security
