In June 2025, a cybersecurity researcher from vpnMentor uncovered a serious data breach affecting Passion.io, a no-code app-building platform popular among coaches, creators, and influencers. The researcher found a publicly accessible, unencrypted database associated with the company. The data, amounting to roughly 12.2 terabytes and containing about 3.6 million records, was left exposed online without password protection. Upon notification, Passion.io responded promptly by securing the database the same day.
The scope of the breach was alarming. It included sensitive user data such as names, email addresses, physical addresses, customer IDs, and invoice or payment records. Additionally, internal documents and proprietary course content—like videos and PDFs intended only for paying users—were publicly accessible. Perhaps most troubling, some exposed profile images featured minors, heightening privacy and ethical concerns. The breadth of exposed information raises the risk of identity theft, phishing attacks, and unauthorized content redistribution.
Following the disclosure, Passion.io confirmed that their Privacy Officer and technical team had taken steps to address the misconfiguration. However, it remains unclear whether the data was stored by Passion.io directly or managed by a third-party vendor. Furthermore, the duration of the exposure and whether any malicious parties accessed the information remain unknown. These unanswered questions highlight common challenges in incident response and cloud data oversight.
This breach serves as a stark reminder of the vulnerabilities inherent in modern digital platforms, especially those catering to content creators and entrepreneurs. As businesses increasingly rely on cloud-based infrastructure, even a single misconfiguration can have devastating consequences. Security experts stress the importance of enforcing encryption, access controls, multi-factor authentication, and regular audits. For Passion.io and similar platforms, this event underscores the critical need for vigilant data stewardship and transparent user protection measures.
