- Passion.io, a major no-code app-building app, operated a non-password-protected database
- The archive contained millions of records, with a total size of around 12TB
- It was since then locked down, but users should still take care
Millions of records containing sensitive, personally identifiable information, were sitting online in yet another unencrypted, non-password-protected database, experts have warned.
Found by security researcher Jeremiah Fowler, who discovered and reported his findings to vpnMentor, the database contained 3,637,107 records, and was 12.2TB in total size.
It belongs to a company called Passion.io, a Delaware-based no-code app-building platform that allows creators, influencers, entrepreneurs, and coaches, to create websites without having any prior coding knowledge. They can also create, and sell, interactive courses.
Locking the archive down
Fowler said that he analyzed a “limited sampling of the exposed documents” and saw internal files, images, and spreadsheet documents marked as “users” and “invoices”.
These files contained people’s names, email addresses, postal addresses, and details about payments or payouts for users and app creators.
This type of information is a treasure trove for cybercriminals. They can use it to create convincing phishing emails, tricking Passion’s users into making rash, dangerous decisions. Besides phishing, the data can be used in identity theft, wire fraud, and other types of scams.
The researcher notified Passion.io about his findings, and got a response on the same day. The database was locked down, and the company confirmed it was working on putting guardrails in place so that mishaps like this one don’t repeat.
“We’re treating this very seriously and moving fast,” the company told Fowler.
So far, there is no evidence the information is circulating on the dark web - and it's also not known if Passion.io is the one managing the database, or if the job was outsourced to a third party.
Without a thorough investigation, there is no way of knowing for how long the database remained open, or if any threat actors found it already.
You might also like
- Entire Brazilian population potentially put at risk by major data leak
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
