- Passion.io, a larger app-building app without code, drifted a non-passord-protected database
- The archive contained millions of items with a total size of approx. 12 tb
- It was since then locked down but users should still fit
Millions of items containing sensitive, personally identifiable information sat online in yet another unencrypted, non-passord-protected database, experts have warned.
Found by security scientist Jeremiah Fowler who discovered and reported his findings to VPNMENTORThe database contained 3,637,107 items and was 12.2 TB in total size.
It belongs to a company called passion.io, a delaware-based app-building platform without code that allows creators, influence, entrepreneurs and coaches, to create sites without having any prior coding knowledge. They can also create and sell interactive courses.
Locks the archive down
Fowler said he analyzed a “limited sampling of the exposed documents” and then internal files, images and spreadsheet documents marked as “users” and “invoices”.
These files contained people’s names, E -Mail addresses, postal addresses and details of payments or payments for users and app creators.
This type of information is a treasure trove for cyber criminals. They can use it to create compelling phishing -e emails and fool passion users to make rashes, dangerous decisions. In addition to phishing, the data can be used for identity theft, thread fraud and other types of fraud.
The researcher informed Passion.io of his findings and received an answer on the same day. The database was locked down and the company confirmed that it was working to put protective frames in place so that accidents like this one do not repeat.
“We treat this very seriously and move quickly,” the company told Fowler.
So far, there is no evidence that the information circulates on the dark web – nor is it known whether Passion.io is the one who manages the database or whether the job was outsourced to a third party.
Without a thorough examination, there is no way to know how long the database remained open or if any threat actors already found it.
