A security researcher has disclosed a non-password protected database linked to an app-building platform designed for creators, coaches, influencers, celebrities, and entrepreneurs. The exposed database compromised over 3.6 million records belonging to users of Passion.io, a Texas-Delaware-based no-code app-building platform designed for creators, coaches, and influencers.
The exposed database contained 3,637,107 records totalling 12.2 terabytes of data, including sensitive personally identifiable information (PII) such as names, email addresses, physical addresses, and payment details.
The database was found by cybersecurity researcher Jeremiah Fowler and reported to VPNMentor. It was completely unencrypted and lacked password protection, making it accessible to anyone who discovered it online.
Passion.io's platform enables creators to build branded mobile apps without technical expertise, allowing them to monetise content through subscriptions and one-time payments. According to the company's website, the platform has facilitated the launch of over 15,000 apps serving more than 2 million paying users.
The breach exposed multiple categories of sensitive data beyond basic user information. Internal files contained user profile images, premium content materials, including videos and PDF documents that creators sell through their apps, and financial records showing invoice totals between app creators and Passion.io. This combination of personal and business data creates significant privacy and security concerns for affected users.
Upon discovery, Fowler immediately contacted Passion.io through responsible disclosure protocols. The company responded swiftly, securing the database on the same day and acknowledging the incident.
In their response, Passion.io stated that their "Privacy Officer and technical team are working on fixing the issue, making sure this can't happen again, and taking all necessary steps required by the situation," - Fowler noted.
Security experts warn that exposed PII creates opportunities for sophisticated phishing attacks and social engineering schemes. The combination of personal information with purchase history provides criminals with detailed knowledge typically known only to customers and service providers, potentially enabling convincing impersonation attempts.