Tea, a provocative dating app designed to let women anonymously ask or warn each other about men they’d encountered, rocketed to the top spot on the U.S. Apple App Store this week. On Friday, the company behind the app confirmed it had been hacked: Thousands of images, including selfies, were leaked online.

“We have engaged third-party cybersecurity experts and are working around the clock to secure our systems,” San Francisco-based Tea Dating Advice Inc. said in a statement.

404 Media, which earlier reported the breach, said it was 4Chan users who discovered an exposed database that “allowed anyone to access the material” from Tea.

The app and the breach highlight the fraught nature of seeking romance in the age of social media.

Here’s what to know:

Tea was meant to help women date safely

Tea founder Sean Cook, a software engineer who previously worked at Salesforce and Shutterfly, says on the app’s website that he founded the company in 2022 after witnessing his own mother’s “terrifying” experiences. Cook said they included unknowingly dating men with criminal records and being ”catfished” — deceived by men using false identities.

Tea markets itself as a safe way for women to anonymously vet men they might meet on dating apps such as Tinder or Bumble— ensuring that the men are who they say they are, not criminals and not already married or in a relationship. “It’s like people have their own little Yelp pages,” said Aaron Minc, whose Cleveland firm, Minc Law, specializes in cases involving online defamation and harassment.

In an Apple Store review, one woman wrote that she used a Tea search to investigate a man she’d begun talking to and discovered “over 20 red flags, including serious allegations like assault and recording women without their consent.” She said she cut off communication. ”I can’t imagine how things could’ve gone had I not known,” she wrote.

A surge in social media attention over the past week pushed Tea to the No. 1 spot on Apple’s U.S. App Store as of July 24, according to Sensor Tower, a research firm. In the seven days from July 17-23, Tea downloads shot up 525% compared to the week before. Tea said in an Instagram post that it had reached 4 million users.

Tea has been criticized for invading men’s privacy

A female columnist for The Times of London newspaper, who signed into the app, on Thursday called Tea a “man-shaming site” and complained that ”this is simply vigilante justice, entirely reliant on the scruples of anonymous women. With Tea on the scene, what man would ever dare date a woman again?”

“Over the last couple of weeks, we’ve gotten hundreds of calls on it. It’s blown up,” attorney Minc said. “People are upset. They’re getting named. They’re getting shamed.’’

In 1996, Congress passed legislation protecting websites and apps from liability for things posted by their users. But the users can be sued for spreading ”false and defamatory” information, Minc said.

In May, however, a federal judge in Illinois threw out an invasion-of-privacy lawsuit by a man who’d been criticized by women in the Facebook chat group “Are We Dating the Same Guy,″ Bloomberg Law reported.

State privacy laws could offer another avenue for bringing legal action against someone who posted your photograph or other personal information in a harmful way, Minc said.

The breach exposed thousands of selfies and photo IDs

In its statement, Tea reported that about 72,000 images were leaked online, including 13,000 images of selfies or photo identification that users submitted during account verification. Another 59,000 images that were publicly viewable in the app from posts, comments and direct messages were also accessed, according to the company’s statement.

No email addresses or phone numbers were exposed, the company said, and the breach only affects users who signed up before February 2024. “At this time, there is no evidence to suggest that additional user data was affected. Protecting tea users’ privacy and data is our highest priority,” Tea said.

It said users did not need to change their passwords or delete their accounts. “All data has been secured.”

Lawyer Minc said he was not surprised to see Tea get targeted. “These sites get attacked,” he said. ”They create enemies. They put targets on themselves where people want to go after them.”

This story was originally featured on Fortune.com

© AP Photo