Three Million Records Exposed In Passion.io Data Breach

Uploaded on 2025-06-20 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Cybersecurity researcher Jeremiah Fowler has uncovered a significant data breach involving Passion.io, a no-code app-building platform based in Texas. The breach exposed an unencrypted, non-password-protected database containing 3,637,107 records, totaling 12.2 terabytes of data.

This incident, reported to vpnMentor, revealed sensitive personally identifiable information (PII) and internal files, raising concerns about potential misuse by cybercriminals.

Passion.io swiftly restricted public access to the database on the same day it was reported, but the breach underscores the critical need for robust data security measures in the rapidly growing AI and app development sectors.

Details of the Breach

The exposed database contained a variety of sensitive records, including internal files, images, and spreadsheets labeled “users” and “invoices.” These documents included:

  • User Information: Names, email addresses, physical addresses, and internal customer ID numbers of app creators and users.

  • Financial Data: Details about payments and payouts, including invoice totals paid to Passion.io by app owners.

  • Content Files: Video files and PDFs, likely premium content sold by creators, alongside user profile images, some featuring children.

While the database appeared to belong to Passion.io, it remains unclear whether it was managed directly by the company or a third-party contractor. The duration of the exposure and whether unauthorized parties accessed the data are also unknown, pending an internal forensic audit.

Potential Risks & Implications

The exposure of PII and internal records poses significant risks, particularly for social engineering and phishing attacks, which account for 98% of cybercrimes.

Criminals could exploit the leaked data to:

  • Impersonate Trusted Entities: Using email addresses and purchase histories, attackers could pose as Passion.io to extract additional personal or financial information.

  • Target High-Value Individuals: Combining exposed PII with open-source data, cybercriminals could create detailed profiles to target wealthy or influential users, such as celebrities or influencers.

  • Misuse Images: Profile images, especially those of children, could be used for impersonation, deepfake creation, or other unethical purposes, raising serious privacy concerns.

  • Undermine Creators’ Revenue: Unauthorized access to premium content like videos and PDFs could lead to illegal distribution, threatening creators’ income streams.

The inclusion of children’s images is particularly alarming, as they cannot consent to their online use, highlighting the ethical and legal risks of such exposures.

Passion.io’s Response & Recommendations

Passion.io responded promptly to Fowler’s responsible disclosure, confirming that their Privacy Officer and their  technical team were addressing the issue to prevent future incidents. The company emphasized treating the matter with utmost seriousness. Fowler provided several recommendations for users and organizations to mitigate risks:

  • For Users: Change passwords for affected accounts, enable two-factor authentication (2FA), and avoid reusing passwords across platforms. Be cautious of unsolicited communications requesting personal information.

  • For Companies: Encrypt sensitive documents, enforce multi-factor authentication, conduct regular security audits, and segment data storage to minimize exposure risks. Retain only necessary data and securely delete outdated records.

The Passion.io incident highlights the vulnerabilities in no-code platforms, which empower creators but often lack stringent security protocols. As AI and app-building platforms proliferate, robust security standards, like those recently introduced by the UK and ETSI, are critical to safeguarding user data.

The Passion.io breach serves as a stark reminder of the importance of data security in the digital age.

Users should remain vigilant, monitor for suspicious activity, and adopt strong security practices. Companies must prioritize encryption, access controls, and proactive audits to protect sensitive information, ensuring trust in the burgeoning AI and app development ecosystem.

For the complete report click HERE

Image: Ideogram

You Might Also Read: 

Large-Scale Data Exposure Discovered:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« A British Initiative To Secure AI System Development
Japan's 'Active Cyber Defence' Strategy »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Clearpath Solutions Group

Clearpath Solutions Group

Clearpath Solutions Group expertise covers virtualization and data storage technologies, networking, security and cloud computing.

Endace

Endace

Endace is a leader in network visibility, network recording and packet capture solutions for security, network and application performance monitoring.

Global Learning Systems (GLS)

Global Learning Systems (GLS)

Global Learning Systems provides security awareness and compliance training programs for employees that effectively promote behavior change and protect your organization.

7Safe

7Safe

7Safe has been delivering hands-on digital security training courses since 2001 and offer e a portfolio of university and industry-accredited courses.

Uleska

Uleska

Uleska is a scalable platform that provides automated and continuous software security testing whilst translating cyber risk.

Hardenite

Hardenite

Hardenite solution helps R&D, DevOps and IT teams to continuously manage security risks and hardening efforts of any Linux OS – based product, throughout the product life cycle.

CoverWallet

CoverWallet

CoverWallet combines deep analytics, thoughtful design and state of the art technology to help small businesses with all their insurance needs including Cyber Liability.

Cyphra

Cyphra

Cyphra’s team provide cyber security consulting, technical and managed services expertise and experience to support your organisation.

EnigmaSoft

EnigmaSoft

EnigmaSoft is known for its PC anti-malware remediation utility and service under the tradename SpyHunter.

HashiCorp

HashiCorp

At HashiCorp, we believe infrastructure enables innovation, and we are helping organizations to operate that infrastructure in the cloud.

Zluri

Zluri

Zluri is a cloud-native SaaSOps platform enabling modern enterprises with SaaS Management and Identity Governance.

eGyanamTech (EGT)

eGyanamTech (EGT)

eGyanamTech provides robust security solutions tailored for Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) systems used in critical infrastructure systems.

RapidFort

RapidFort

RapidFort’s Software Attack Surface Optimization Platform remediates 95% of software vulnerabilities in minutes without code changes.

itm8

itm8

itm8 is a Nordic digital transformation partner offering a wide range of services in IT operations and Cloud Services, Digital Transformation, Application Services, ERP, and Cyber Security.

Ciena

Ciena

Ciena is a global leader in optical and routing systems, services, and automation software. We build the world’s most adaptive networks to address ever-increasing digital demands.

Tonic Security

Tonic Security

Tonic is reshaping Exposure and Vulnerability Management by providing the context security teams need to accelerate prioritization and remediation of vulnerabilities and threats.