A significant security oversight on PrepHero, a college recruiting platform, has exposed sensitive personal information of over three million individuals, including aspiring student-athletes and their coaches. This alarming breach, uncovered by vpnMentor’s cybersecurity researcher Jeremiah Fowler, was reported on May 12, 2025. The database, belonging to the Chicago-based company operated by EXACT Sports, was found unprotected online, raising serious concerns about privacy and data security.
The exposed database contained a staggering 3,154,239 unencrypted records, totaling around 135 gigabytes. According to Fowler’s investigation, the records included sensitive information such as names, phone numbers, email addresses, home addresses, and even passport details of student-athletes. Additionally, it stored contact information for parents and coaches, alongside unprotected links to image files of student athletes’ passports.
Compounding the severity of this data breach was a folder labeled “mail cache” containing email messages from 2017 to 2025, totaling 10 gigabytes. The contents included personalized links to accessible public webpages, revealing names, birth dates, and compensation details, with some emails even containing temporary passwords. Audio recordings of coaches discussing student athletes’ abilities further amplified the exposure of personal information.
Once alerted, PrepHero swiftly secured the database, but concerns linger regarding the management of the exposed data and the duration it was accessible before discovery. With rising threats to the education sector as noted in Check Point’s April 2025 malware report, this breach underscores the vulnerabilities that educational institutions face in the realm of cybersecurity. Recent incidents, including a ransomware attack on edtech giant PowerSchool and a hacking event involving iClicker, highlight an urgent need for enhanced security measures.
Fowler emphasized the risks posed to young athletes, who often lack established credit histories, making them prime targets for identity theft. The leaked data could potentially be used to create fraudulent accounts undetected, while personal information of coaches might expose them to tailored phishing attacks. To mitigate the repercussions of such breaches, it is critical for those connected with PrepHero or EXACT Sports to employ robust security practices, such as multi-factor authentication and secure content management systems.