In a major security lapse, more than 3.6 million user records were found exposed online. The data is believed to belong to Passion.io, a no-code app-building platform used by creators, coaches, and influencers to make their own mobile apps. The data was left in a publicly accessible and unprotected database.
The leak was discovered by cybersecurity researcher Jeremiah Fowler, who shared the details with vpnMentor. The exposed database contained 3,637,107 records with a total size of 12.2 TB. It was not encrypted or password-protected, meaning anyone could access it.
Fowler checked a small portion of the leaked files. He found spreadsheets marked as “users” and “invoices,” along with internal documents and images. These files contained names, email addresses, physical locations, and even payment-related details of users and app creators. Some profile pictures also showed images of children, which is especially concerning.
The exposed files contained personal and financial information. If this data ends up in the wrong hands, it can be used for phishing or social engineering attacks. Cybercriminals often use such details to trick people into revealing more information or making payments. In fact, nearly 98% of cyberattacks start with social engineering.
Even just a leaked email address and purchase history can help attackers impersonate a company and contact users with fake requests. They might even target high-value individuals, such as celebrities or influencers, using the platform.
Fowler also found videos and PDF documents in the database. These seemed to be premium content created by app owners. If these were downloaded without permission and shared online, it could hurt the creators’ earnings. He also saw financial documents showing invoice totals reportedly paid to Passion.io. This type of data could reveal business secrets or be useful to competitors.
Fowler sent a responsible disclosure to Passion.io right away. The company quickly responded and took down public access to the database on the same day. In a reply email, they thanked Fowler and said their Privacy Officer and technical team were working to fix the issue and prevent it from happening again.
However, it is still unclear whether the exposed database was managed directly by Passion.io or a third-party contractor. It is also unknown how long the data was available online or if anyone else accessed it before Fowler found it.
If you are a user of Passion.io or a customer of any app built on the platform, stay alert. Be careful of unexpected emails, texts, or calls asking for personal or payment information. These could be phishing attempts. Always double-check the sender and never share sensitive details without verifying.
It is also a good idea to change your passwords, enable two-factor authentication (2FA), and avoid using the same password for multiple accounts.
For companies storing user data, this incident is a reminder to encrypt sensitive documents, review access control policies, and conduct regular security audits. Use multi-factor authentication (MFA) to protect both employee and user accounts. Only keep the data that is truly needed and delete anything no longer in use.
