Passion.io No-Code app platform exposes 3.6M records in unprotected database
Learn More
Cybersecurity researcher Jeremiah Fowler discovered an unencrypted and publicly accessible database containing over 3.6 million user records belonging to App-building platform Passion.io.
Passion.io operates a no-code app-building platform designed for creators, coaches, influencers, celebrities, and entrepreneurs to develop branded mobile apps without technical knowledge. The platform enables users to create interactive courses and earn revenue through subscriptions or one-time payments.
The database contained 3,637,107 records with a total size of 12.2 TB. It is not known whether the database was owned and managed directly by Passion.io or by a third-party contractor. The exposed database contained personal and business information of the platform:
- Names and email addresses of users and app creators
- Physical home addresses
- Payment and payout transaction details
- Internal customer identification numbers
- User profile images, including some containing children
- Video files and PDF documents representing premium content sold by creators
- Internal financial records and invoice totals
- Spreadsheet documents marked as "users" and "invoices"
- Business operational data related to app creation and revenue
The exact number of affected individuals has not been disclosed. According to Passion.io's website, the platform has over 2 million paying app users and has been used by creators to launch over 15,000 mobile applications.
Fowler immediately sent a responsible disclosure notice to Passion.io, and the database was restricted from public access the same day. The company responded the following day, acknowledging the finding and confirming that their "Privacy Officer and technical team are working on fixing the issue, making sure this can't happen again, and taking all necessary steps required by the situation." The company stated they were "treating this very seriously and moving fast" to address the vulnerability.
Security experts recommend that affected users change passwords related to their Passion.io accounts, enable two-factor authentication where possible, remain vigilant for suspicious communications, and avoid reusing passwords across multiple accounts.
