PrepHero data leak exposes over 3 million records of student-athletes and college coaches

The Cybersecurity researcher Jeremiah Fowler discovered an unprotected database containing over 3 million records of sensitive personal information. Internal files and the database name indicates the records belonged to PrepHero, a Chicago-based company operated by EXACT Sports that helps high school athletes build recruiting résumés and connect with college coaches.

The database exposed a total of 3,154,239 records, 135 GB in size. The exposed data includes:

• Names of student-athletes
• Phone numbers
• Email addresses
• Physical addresses
• Passport data and images
• Dates of birth
• Contact information of parents
• Contact information of college sport coaches
• Temporary login credentials
• Details about compensation or reimbursement
• Audio files of coaches' evaluations of students

The database also contained a "mail cache" folder with 10 GB of email messages dating from 2017 to 2025, which included personalized links to publicly accessible pages containing additional sensitive information. 

The exposed database was immediately secured after he sent a responsible disclosure notice to PrepHero, and access was restricted the immediately. Although the records appeared to belong to PrepHero, it remains unclear whether the database was managed directly by the company or by a third-party contractor. 

The duration of the exposure before discovery is not known.