PrepHero-Linked Database Exposed Data of 3M Students and Coaches

A security lapse on PrepHero, a college recruiting platform, exposed millions of unencrypted records, including sensitive personal details and passport images of student-athletes.

A massive amount of personal information belonging to over three million individuals, including young athletes hoping for college scholarships and their coaches, was recently found unprotected online. vpnMentor’s cybersecurity researcher Jeremiah Fowler discovered this exposed database and reported it on May 12, 2025.

Based on the information in the database, it belonged to a Chicago-based company called PrepHero, operated by EXACT Sports. For your information, PrepHero helps high school athletes create recruiting profiles for college sports programs and facilitates direct communication between athletes and coaches at renowned universities, aiming to secure sports scholarships.

According to Fowler’s investigation, shared with Hackread.com, this database contained a staggering 3,154,239 records (totalling around 135 gigabytes) and was not secured with a password or any form of encryption.

Fowler’s initial checks revealed sensitive information about student-athletes, including names, phone numbers, email addresses, home addresses, and passport information. The database also contained contact details for parents and coaches, as well as unprotected computer files with student athletes’ passport image links.

Source: vpnMentor

Adding to the severity of the exposure, the database contained a folder labelled “mail cache” holding 10 gigabytes of email messages spanning from 2017 to 2025. The folder contained personalized web links to publicly accessible pages displaying names, birth dates, email addresses, home addresses, and compensation details.

Some emails also included temporary passwords, posing further privacy risks. Audio recordings of coaches stating their names, colleges, and evaluations of student athletes’ strengths and weaknesses were also found.

Fowler promptly disclosed this discovery to PrepHero, which quickly secured the database, preventing further public access. While the exposed records have been linked to PrepHero, it is yet unclear whether this database was directly managed or an external company was responsible for its management. Furthermore, it’s also unclear how long the sensitive information was accessible online before Fowler’s discovery or if anyone else might have accessed it.

****Education Sector is Already Vulnerable****

As noted in Check Point’s April 2025 malware report, cyber attacks on the education sector continue to rise. Just last week, edtech giant PowerSchool confirmed it paid ransom after a December 2024 ransomware attack that exposed the personal data of students and teachers.

Meanwhile, new reports reveal that the official website of iClicker, a widely used student engagement platform, was hacked in a ClickFix attack. Having a database exposed to cyber criminals is worse than leaving your front door wide open, it’s an open invitation with far more at stake.

Fowler highlighted the privacy risks associated with exposing student athletes’ personal information, as they are often young and lack credit histories, making them vulnerable to identity theft. Criminals could use this data to open fraudulent accounts without immediate detection. Students, parents, and coaches’ contact information could be exploited for targeted phishing attacks and scams, with coaches also at risk of spear-phishing attempts.

Considering these repercussions, individuals associated with PrepHero or EXACT Sports must remain cautious about phishing/social engineering attempts, use secure content management systems with access controls, use multi-factor authentication for all accounts and encrypt sensitive documents to minimize the impact of potential data breaches.

“Sending emails with unique web links to surveys or open webpages that contain PII should be restricted and only accessible with login credentials to prevent unauthorized or accidental access,” Fowler advised.