Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about an unencrypted and non-password-protected database that contained 3,637,107 records that presumably belong to a no-coding app-building platform.

The publicly exposed database was not password-protected or encrypted. It contained 3,637,107 records with a total size of 12.2 TB. In a limited sampling of the exposed documents, I saw internal files, images, and spreadsheet documents (marked as “users” and “invoices”) that contained names, emails, physical addresses, and details about payments or payouts of what appeared to be users and app creators.

The internal files and database name indicated the records appeared to belong to a Texas/ Delaware-based company called Passion.io. This firm offers a no-code app-building platform designed for creators, coaches, influencers, celebrities, and entrepreneurs to develop their own branded mobile apps without any technical knowledge. The platform allows users to create interactive courses and then earn revenue through subscriptions or one-time payments.

I immediately sent a responsible disclosure notice to Passion.io, and the database was restricted from public access and no longer accessible that same day. I received an email the following day acknowledging my finding and thanking me for bringing it to their attention. According to the email, Passion.io’s “Privacy Officer and technical team are working on fixing the issue, making sure this can’t happen again, and taking all necessary steps required by the situation. We’re treating this very seriously and moving fast”.

Although the records appeared to belong to Passion.io, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.

According to their website, creators have used Passion.io’s platform to launch over 15,000 apps and have over 2 million paying app users. The platform enables creators to earn money by combining their skills, knowledge, expertise, or products with their own mobile apps. It should be noted that this database appeared to not contain all app and user data. I did not see content related to such a large number of applications inside the folders. However, I did see user PII and images that may not have been intended for public exposure.



There are serious potential risks associated with exposed files that contain PII (like names, emails, physical addresses, internal customer ID numbers) as well as purchased services and payment amounts. For instance, this information could potentially be used by criminals to attempt phishing or social engineering attacks. In fact, it is estimated that 98% of all cybercrimes start with some form of social engineering.

Leaked email addresses and purchase histories can provide criminals with specific information that typically only the customer and service provider would know. Since people are more likely to trust a company they have a business relationship with, criminals often opt for impersonation. They could hypothetically contact customers or app creators pretending to be affiliated with the company in question and try to get additional personal or financial information.

Exposed personal information could be combined with open source information to create a complete profile of that individual. Once criminals have a profile, they can filter potential victims, fixing on high value targets that may be wealthy or have celebrity or influencer status. I am not saying that Passion.io’s customers or their users are at risk of social engineering or other forms of scams, I am only providing an educational example of how this type of data could theoretically be exploited should it fall in the wrong hands.

The exposure of user profile images also poses serious potential privacy and security risks. The biggest hypothetical risks include images being misused for impersonation, for the creation of fake accounts, or for other online scams. There are numerous apps where images can be manipulated through AI to produce deepfakes or abusive content without consent. Additionally, reverse image tools can even identify individuals if the same image has been used elsewhere online.

Images of children are particularly sensitive because children cannot consent to their pictures being used online. These may have been uploaded by users who believed that their accounts were personal and private and that those images would never be seen by anyone except themselves. In my experience as a security researcher, I have seen firsthand how even seemingly harmless images can be potentially weaponized or used for unethical purposes. I am not saying that any of Passion.io’s users or their images were ever at risk of any misuse, I am only providing a real-world risk scenario of how images could potentially be used or exploited without consent or the individual’s knowledge.

In addition to personal user data, I also saw a large number of video files and .pdf documents. These appeared to be materials that app creators sell as part of their premium content. If these files were accessed without authorization and subsequently downloaded and shared online, it could undermine the revenue model for creators. The database also contained internal financial records, specifically invoice totals that app owners reportedly pay to Passion.io. For any organization, the exposure of financial data poses a potential risk of confidentiality that may give competitors or criminals valuable insights into the company’s business operations and finances.

After any organization has a data breach, users and customers should be vigilant and know how to identify suspicious communications. These could be things like unexpected emails, phone calls, or text messages that request additional personal information or that state there are outstanding payments owed. Phishing attempts are usually just the first step in the criminal agenda, so it is crucial to verify that the person requesting this information is who they say they are. I also recommend users change any passwords related to the affected service or account, use two-factor authentication (2FA) wherever possible, and never reuse passwords for multiple accounts.

For companies that collect and store potentially sensitive user data, it is important to implement additional security measures. I recommend encrypting any documents (such as spreadsheets) that contain financial or customer data. Companies should review their access control policies and conduct regular security audits to identify vulnerabilities or unintended data exposures. It is also a good idea to strengthen user authentication and enforce multi-factor authentication (MFA) for both internal employees and users. This can ensure that sensitive customer account information and internal data is only accessible to authorized users.

When it comes to data storage, I recommend storing only necessary data and, once it is no longer needed, ensuring those records are securely deleted. Segmenting storage and not keeping a wide range of files in the same database can also minimize the potential risks of an accidental exposure.
I imply no wrongdoing by Passion.io (PassionApps) by Independence284, Inc., or its employees, agents, contractors, affiliates, and/or related entities. I do not claim that any internal, customer, or user data was ever at imminent risk. The hypothetical data-risk scenarios I have presented in this report are strictly and exclusively for educational purposes and do not reflect, suggest, or imply any actual compromise of data integrity. It should not be construed as a reflection of or commentary / insinuation on any organization’s specific practices, systems, or security measures.

As an ethical security researcher, I do not download the data I discover. I only take a limited number of screenshots as necessary and solely for verification and documentation purposes. I do not conduct any activities beyond identifying the security vulnerability and notifying the relevant parties. I disclaim any and all liability for any and all actions that may be taken as a result of this disclosure. I publish my findings solely to raise awareness of issues of data security and privacy. My aim is to encourage organizations to proactively implement measures to safeguard sensitive information against unauthorized access.

vpnMentor Recent Publications

Cybersecurity Expert Jeremiah Fowler has discovered and disclosed some of the most impactful data breaches in recent years.
This includes a data breach exposing over 500k records, including Ticket to Cash’s customers PII and a most recent huge data breach, which exposed over 3 million records presumably belonging to PrepHero, a platform designed to assist high school athletes in securing college sports scholarships.