Cybersecurity researcher Jeremiah Fowler discovered a major data leak involving over 3.6 million records linked to a no-code app development platform.
The exposed database, which was not encrypted or password-protected, was found to contain sensitive personal information.
Fowler reported the incident to VPNMentor after identifying the unprotected database. It held 3,637,107 records, totaling 12.2 terabytes of data. During a brief review of the files, he found internal documents, images, and spreadsheets labeled “users” and “invoices.” These files included names, email addresses, physical addresses, and payment or payout information, suggesting that the data belonged to both app users and creators.
Evidence pointed to the data being associated with Passion.io, a company based in Texas and Delaware. Passion.io provides a no-code app-building platform that allows creators, coaches, and entrepreneurs to build and monetize their mobile apps without needing any programming skills.
Upon discovering the exposure, Fowler promptly notified Passion.io. The company acted quickly, securing the database the same day. In a follow-up email, they thanked Fowler for his responsible disclosure and confirmed that their Privacy Officer and technical team were investigating the issue and taking steps to prevent it from happening again.
It remains unclear whether Passion.io directly managed the exposed database or if it was controlled by a third-party provider. The duration of the exposure and whether unauthorized access occurred are still unknown. A thorough internal investigation would be required to determine if the data had been accessed or misused by others.
Passion.io’s website states that over 15,000 apps have been launched using its platform, with more than 2 million paying users. However, the exposed database did not appear to contain information from all those apps. Still, the data did include personally identifiable information (PII), such as customer names, addresses, and profile pictures—some of which featured children.
