Three Million Records Exposed In Passion.io Data Breach

Uploaded on 2025-06-20 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Cybersecurity researcher Jeremiah Fowler has uncovered a significant data breach involving Passion.io, a no-code app-building platform based in Texas. The breach exposed an unencrypted, non-password-protected database containing 3,637,107 records, totaling 12.2 terabytes of data.

This incident, reported to vpnMentor, revealed sensitive personally identifiable information (PII) and internal files, raising concerns about potential misuse by cybercriminals.

Passion.io swiftly restricted public access to the database on the same day it was reported, but the breach underscores the critical need for robust data security measures in the rapidly growing AI and app development sectors.

Details of the Breach

The exposed database contained a variety of sensitive records, including internal files, images, and spreadsheets labeled “users” and “invoices.” These documents included:

  • User Information: Names, email addresses, physical addresses, and internal customer ID numbers of app creators and users.

  • Financial Data: Details about payments and payouts, including invoice totals paid to Passion.io by app owners.

  • Content Files: Video files and PDFs, likely premium content sold by creators, alongside user profile images, some featuring children.

While the database appeared to belong to Passion.io, it remains unclear whether it was managed directly by the company or a third-party contractor. The duration of the exposure and whether unauthorized parties accessed the data are also unknown, pending an internal forensic audit.

Potential Risks & Implications

The exposure of PII and internal records poses significant risks, particularly for social engineering and phishing attacks, which account for 98% of cybercrimes.

Criminals could exploit the leaked data to:

  • Impersonate Trusted Entities: Using email addresses and purchase histories, attackers could pose as Passion.io to extract additional personal or financial information.

  • Target High-Value Individuals: Combining exposed PII with open-source data, cybercriminals could create detailed profiles to target wealthy or influential users, such as celebrities or influencers.

  • Misuse Images: Profile images, especially those of children, could be used for impersonation, deepfake creation, or other unethical purposes, raising serious privacy concerns.

  • Undermine Creators’ Revenue: Unauthorized access to premium content like videos and PDFs could lead to illegal distribution, threatening creators’ income streams.

The inclusion of children’s images is particularly alarming, as they cannot consent to their online use, highlighting the ethical and legal risks of such exposures.

Passion.io’s Response & Recommendations

Passion.io responded promptly to Fowler’s responsible disclosure, confirming that their Privacy Officer and their  technical team were addressing the issue to prevent future incidents. The company emphasized treating the matter with utmost seriousness. Fowler provided several recommendations for users and organizations to mitigate risks:

  • For Users: Change passwords for affected accounts, enable two-factor authentication (2FA), and avoid reusing passwords across platforms. Be cautious of unsolicited communications requesting personal information.

  • For Companies: Encrypt sensitive documents, enforce multi-factor authentication, conduct regular security audits, and segment data storage to minimize exposure risks. Retain only necessary data and securely delete outdated records.

The Passion.io incident highlights the vulnerabilities in no-code platforms, which empower creators but often lack stringent security protocols. As AI and app-building platforms proliferate, robust security standards, like those recently introduced by the UK and ETSI, are critical to safeguarding user data.

The Passion.io breach serves as a stark reminder of the importance of data security in the digital age.

Users should remain vigilant, monitor for suspicious activity, and adopt strong security practices. Companies must prioritize encryption, access controls, and proactive audits to protect sensitive information, ensuring trust in the burgeoning AI and app development ecosystem.

For the complete report click HERE

Image: Ideogram

You Might Also Read: 

Large-Scale Data Exposure Discovered:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« A British Initiative To Secure AI System Development
Police Shut Down A Criminal Malware Operation »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Information Security Forum (ISF)

Information Security Forum (ISF)

The ISF is a leading authority on information security and risk management.

Spanish National Cybersecurity Institute (INCIBE)

Spanish National Cybersecurity Institute (INCIBE)

INCIBE undertakes research, service delivery and coordination for building cybersecurity at the national and international levels.

Nuvias Group

Nuvias Group

Nuvias Group is a specialist value-addedd IT distribution company offering a service-led and solution-rich proposition ready for the new world of technology supply.

IoT M2M Council (IMC)

IoT M2M Council (IMC)

The IMC is the largest and fastest-growing trade organisation in the IoT/M2M sector.

Sigma IT

Sigma IT

SIGMA IT is one of the largest IT services organizations in EMEA region providing a full range of solutions and services including cybersecurity, data protection and business continuity.

e360

e360

e360 (formerly Entisys360) is an award-winning IT consultancy specializing in advanced IT infrastructure, virtualization, security, automation and cloud first solutions.

Clone Systems

Clone Systems

Clone Systems is an award winning global cloud based managed security as a service provider.

Pacific Cyber Security Operational Network (PaCSON)

Pacific Cyber Security Operational Network (PaCSON)

PaCSON is an operational cyber security network of regional working-level cyber security experts in the Pacific.

Xperience

Xperience

Xperience solves our clients’ toughest challenges by delivering business efficiency through digital transformation solutions across cloud, managed IT, CRM and ERP.

Ethiopian Cybersecurity Association (ECySA)

Ethiopian Cybersecurity Association (ECySA)

ECySA was formed to play an influential part in the ongoing and dawning cybersecurity practices of Ethiopia, efficiently creating public and private awareness on all kinds of cyber risks and threats.

Unified Solutions

Unified Solutions

Unified Solutions provide a full continuum of cyber security services, compliance, and technology solutions.

Jot Digital

Jot Digital

Jot Digital is a full-service technology company specializing in digital engineering, application modernization and business transformation.

Mantodea Security

Mantodea Security

Mantodea Security is an industry-agnostic powerhouse backed by extensive experience and expertise in the realm of IT security.

Twilio

Twilio

Twilio are the customer layer for the internet, powering the most engaging interactions companies build for their customers. We provide simple tools that solve hard problems.

Cybersecurity Elastic Laboratory (CEL)

Cybersecurity Elastic Laboratory (CEL)

CEL specialize in providing top-tier services in vulnerability diagnosis and penetration testing, offering a comprehensive suite of solutions to mitigate cyber risks.

HardTarget

HardTarget

HardTarget is a cutting-edge cyber training company serving HWN (High-Net-Worth) Families and their trusted Advisors.