A massive unprotected database allegedly tied to Passion.io, a no-code app-building platform used by influencers, coaches, and entrepreneurs. The databaseβshockingly unencrypted and without a passwordβcontained a staggering 3,637,107 records, totaling 12.2 terabytes of data.
Fowler reports, βIn a limited sampling of the exposed documents, I saw internal files, images, and spreadsheet documentsβ¦ that contained names, emails, physical addresses, and details about payments or payouts of what appeared to be users and app creators.β
Headquartered in Texas/Delaware, Passion.io empowers creators to launch interactive, monetized mobile apps without writing code. Its website claims over 15,000 apps launched and more than 2 million paying users. The exposed data did not represent this full volume but did include sensitive user profile pictures, payment records, and creator-uploaded contentβsome of which included images of children.
Jeremiah responsibly disclosed the issue, and Passion.io promptly restricted public access the same day. A follow-up email confirmed that their βPrivacy Officer and technical team are working on fixing the issue, making sure this canβt happen again.β
Among the exposed files were:
PII (Personally Identifiable Information) such as names, emails, addresses, and internal customer IDs
Financial records including invoice totals
Creator-uploaded content, including videos and .pdf course materials
Images of children, potentially uploaded under the assumption of privacy
Fowler emphasizes, βEven seemingly harmless images can be potentially weaponized or used for unethical purposesβ¦ particularly sensitive are images of children who cannot consent to their pictures being used online.β
He warns of possible phishing and impersonation attempts, saying, βLeaked email addresses and purchase histories can provide criminals with specific informationβ¦ [they] could hypothetically contact customers pretending to be affiliated with the company.β
owlerβs report serves as an educational case study, stressing:
Encrypt all sensitive data, especially spreadsheets with customer info
Implement multi-factor authentication (MFA) for employees and users
Limit data retention and segment stored data
Conduct regular security audits to detect and mitigate vulnerabilities