Unsecured Database Exposes Data of 3.6 Million Passion.io Creators

A massive data leak has put the personal information of over 3.6 million app creators, influencers, and entrepreneurs at risk, reveals a report from vpnMentor. Cybersecurity expert Jeremiah Fowler uncovered an unsecured database containing a whopping 12.2 terabytes of sensitive data, linked to an app-building platform.

The exposed database, which was neither encrypted nor protected by a password, held 3,637,107 records. These records included names, email addresses, physical addresses, and details about payments for what appeared to be both users and app creators.

According to Fowler’s report, internal files and the database’s name suggested the data belonged to Passion.io, a company based in Texas/Delaware. Passion.io provides a no-code platform, allowing individuals like creators, coaches, and celebrities to build their own mobile apps without needing technical skills. These apps enable users to offer interactive courses and earn money through subscriptions or one-time purchases.

The exposed information, including personally identifiable information (PII) like names addresses, and even images, carries significant risks. Fowler warns that such data can be used by criminals for “phishing or social engineering attacks,” which are a common starting point for cybercrimes. Leaked email addresses and purchase histories can be used to trick individuals into revealing more personal or financial details by impersonating a trusted company.

Furthermore, the exposure of user profile images, some of which included children, raises serious privacy concerns. These images could potentially be misused for impersonation, creating fake accounts, or other online scams.

Source: vpnMentor

The researcher noted that even seemingly harmless images could be “potentially weaponized or used for unethical purposes.” Beyond personal data, the database also contained video files and PDF documents that appeared to be premium content sold by app creators, along with internal financial records, which could undermine creators’ revenue and give competitors insight into the company’s operations.

Kudos to Passion.io’s Transparency

Upon discovering the leak, Fowler promptly informed Passion.io. The company acted swiftly, restricting public access to the database on the same day. Passion.io acknowledged the finding, stating their “Privacy Officer and technical team are working on fixing the issue, making sure this can’t happen again.”

Nevertheless, if your company processes data, here are 5 key steps to follow to avoid database misconfigurations and prevent data leaks like the one affecting Passion.io. It is worth noting that these following steps won’t guarantee perfection, but they lower the chance of leaving a database exposed and leaking user data:

****1. Enforce Authentication and Access Controls****

• Implement multi-factor authentication for administrative access.

• Use role-based access to limit who can view or modify sensitive data.

• Never leave a database exposed without a password or access control.

****2. Encrypt Data at Rest and In Transit****

• Use strong encryption protocols and manage keys securely.

• Ensure all sensitive data is encrypted both on disk and during transfer.

****3. Automate Misconfiguration Detection****

• Set up alerts for public exposure or unusual access patterns.

• Use cloud security tools or configuration scanners (e.g., AWS Config, GCP Security Command Center) to detect misconfigurations in real-time.

****4. Conduct Regular Security Audits and Pen Tests****

• Test not just your app but also your storage and database layers.

• Perform routine vulnerability assessments and penetration tests on your infrastructure.

****5. Train DevOps and Technical Teams on Security Best Practices****

• Keep documentation updated and enforce policies during development.

• Make sure all team members handling infrastructure know how to secure cloud databases, manage permissions, and spot risky configurations.