A significant data breach has compromised the personal information of more than 3.6 million app creators, influencers, and entrepreneurs, according to a report from vpnMentor. Cybersecurity expert Jeremiah Fowler discovered an unsecured database that contained an alarming 12.2 terabytes of sensitive information, associated with the app-building platform, Passion.io.
The exposed database was not secured with any encryption or password protection and held a staggering 3,637,107 records. This data included personally identifiable information such as names, email addresses, physical addresses, and payment details, potentially endangering the privacy of both users and app creators.
According to Fowler’s detailed analysis, the internal files suggested that this data leak originated from Passion.io, a Texas/Delaware-based company that offers a no-code platform. This platform allows creators, coaches, and celebrities to develop their own mobile applications without requiring extensive technical knowledge, facilitating the sale of interactive courses and subscription-based services.
The leaked information raises critical concerns about privacy. Fowler cautioned that such personal data could be utilized in fraudulent activities, particularly phishing and social engineering attacks. With email addresses and purchase histories at stake, criminals may exploit these details to manipulate individuals into disclosing more personal or financial information by masquerading as trustworthy entities.
In a particularly troubling aspect, the breach involved exposure of user profile images, with some featuring minors, prompting serious ethical concerns. Those images could potentially be misappropriated for impersonation or other malicious endeavors. Fowler remarked that even innocuous photos could be ‘potentially weaponized or used for unethical purposes.’
The database furthermore contained premium content like video files and PDF documents, alongside internal financial records, which could unveil creators’ business strategies while undermining their revenue streams.
Upon discovery of the breach, Fowler promptly alerted Passion.io. The company acted immediately, restricting public access to the database the same day. Passion.io released a statement acknowledging the breach, asserting that their ‘Privacy Officer and technical team are working on fixing the issue, making sure this can’t happen again.’
For companies that handle sensitive data, experts recommend following five crucial steps to prevent similar breaches: implementing access controls, encrypting data, automating misconfiguration detection, conducting regular security audits, and training technical teams on best practices.