Recommended reading

More than 3 million records, 12TB of data exposed in major app builder breach

News
By published

No-code app builder found leaking sensitive information online

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)
  • Passion.io, a major no-code app-building app, operated a non-password-protected database
  • The archive contained millions of records, with a total size of around 12TB
  • It was since then locked down, but users should still take care

Millions of records containing sensitive, personally identifiable information, were sitting online in yet another unencrypted, non-password-protected database, experts have warned.

Found by security researcher Jeremiah Fowler, who discovered and reported his findings to vpnMentor, the database contained 3,637,107 records, and was 12.2TB in total size.

It belongs to a company called Passion.io, a Delaware-based no-code app-building platform that allows creators, influencers, entrepreneurs, and coaches, to create websites without having any prior coding knowledge. They can also create, and sell, interactive courses.

Locking the archive down

Fowler said that he analyzed a “limited sampling of the exposed documents” and saw internal files, images, and spreadsheet documents marked as “users” and “invoices”.

These files contained people’s names, email addresses, postal addresses, and details about payments or payouts for users and app creators.

This type of information is a treasure trove for cybercriminals. They can use it to create convincing phishing emails, tricking Passion’s users into making rash, dangerous decisions. Besides phishing, the data can be used in identity theft, wire fraud, and other types of scams.

The researcher notified Passion.io about his findings, and got a response on the same day. The database was locked down, and the company confirmed it was working on putting guardrails in place so that mishaps like this one don’t repeat.

“We’re treating this very seriously and moving fast,” the company told Fowler.

So far, there is no evidence the information is circulating on the dark web - and it's also not known if Passion.io is the one managing the database, or if the job was outsourced to a third party.

Without a thorough investigation, there is no way of knowing for how long the database remained open, or if any threat actors found it already.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.