Friday , July 11 2025

App builiding platform exposes over 3 million records, including PII

infosecbulletin Thursday , June 5 2025 Cyber Attack, Data Breach

Cybersecurity researcher Jeremiah Fowler discovered an unprotected database with 3,637,107 records likely from a no-code app-building platform.

The unprotected database, totaling 12.2 TB and containing 3,637,107 records, included internal files, images, and spreadsheets labeled “users” and “invoices.” These documents featured names, emails, physical addresses, and payment details for users and app creators.

AMD discloses 4 new CPU flaws Affecting Many CPUs

By infosecbulletin / Friday , July 11 2025
AMD has revealed four new vulnerabilities that could enable attackers to access sensitive data via timing-based side-channel attacks. These vulnerabilities,...
Read More
AMD discloses 4 new CPU flaws Affecting Many CPUs

GitLab patched XSS and Authorization Bypass Flaws

By infosecbulletin / Thursday , July 10 2025
GitLab has released security updates for its Community Edition (CE) and Enterprise Edition (EE) to fix vulnerabilities that could enable...
Read More
GitLab patched XSS and Authorization Bypass Flaws

CVE-2025-7206
Critical D-Link DIR-825 Router Flaw Remote Crash Via Buffer Overflow

By infosecbulletin / Thursday , July 10 2025
A newly found vulnerability (CVE-2025-7206) in the D-Link DIR-825 router firmware version 2.10 poses a significant risk to home and...
Read More
CVE-2025-7206 Critical D-Link DIR-825 Router Flaw Remote Crash Via Buffer Overflow

Urgently patch now: Zoom Patches 6 Flaws

By infosecbulletin / Thursday , July 10 2025
Zoom released a security update addressing six newly discovered vulnerabilities in its Workplace, Rooms, and SDK products for Windows, macOS,...
Read More
Urgently patch now: Zoom Patches 6 Flaws

Whatsapp rival ‘Bitchat’, message without internet

By infosecbulletin / Wednesday , July 9 2025
Jack Dorsey, co-founder of Twitter and Block Head, launched a new peer-to-peer messaging app called Bitchat, which operates solely over...
Read More
Whatsapp rival ‘Bitchat’, message without internet

Splunk Addresses Third-Party Package Vulns in SOAR Versions

By infosecbulletin / Wednesday , July 9 2025
Splunk has issued critical security updates for SOAR versions 6.4.0 and 6.4 to fix several vulnerabilities in third-party packages. The...
Read More
Splunk Addresses Third-Party Package Vulns in SOAR Versions

Texas-based Tax Credit Consultancy agency exposed PII, ID Numbers, & SSNs

By infosecbulletin / Wednesday , July 9 2025
Cybersecurity researcher Jeremiah Fowler found an unsecured database with 245,949 records, reported to vpnMentor. It likely belonged to a tax...
Read More
Texas-based Tax Credit Consultancy agency exposed PII, ID Numbers, & SSNs

CVE-2025-25257
Fortinet Addresses Major SQL Injection Flaw in FortiWeb

By infosecbulletin / Wednesday , July 9 2025
Fortinet has issued a critical patch for a critical vulnerability in its FortiWeb product, a web application firewall commonly used...
Read More
CVE-2025-25257 Fortinet Addresses Major SQL Injection Flaw in FortiWeb

Microsoft July 2025 Patch Tuesday: One zero-day, 137 flaws

By infosecbulletin / Wednesday , July 9 2025
Microsoft's Patch Tuesday in July 2025 is critical, featuring updates for 137 vulnerabilities, including a zero-day in Microsoft SQL Server....
Read More
Microsoft July 2025 Patch Tuesday: One zero-day, 137 flaws

Android malware Anatsa infiltrates Google Play targeting banks worldwide

By infosecbulletin / Tuesday , July 8 2025
ThreatFabric researchers have discovered a new sophisticated campaign by the Anatsa banking trojan targeting mobile banking users in the U.S....
Read More
Android malware Anatsa infiltrates Google Play targeting banks worldwide

The records seem to belong to Passion.io, a Texas/Delaware company that provides a no-code app-building platform. This platform enables creators, coaches, influencers, celebrities, and entrepreneurs to develop their own branded mobile apps without technical skills. Users can create interactive courses and generate income through subscriptions or one-time payments.

Jeremiah Fowler notified Passion.io about a security issue, and the database was restricted from public access the same day. The next day, he received an email thanking him for his report.

The email states that Passion.io’s Privacy Officer and technical team are urgently addressing the issue to prevent future occurrences. It’s unclear whether the database in question was owned by Passion.io or a third-party contractor, nor how long it was exposed or if others accessed it. An internal forensic audit is needed to uncover any additional access or suspicious activity.

Source: VPNmentor

Passion.io’s platform has helped creators launch over 15,000 apps and gain over 2 million paying users. It allows creators to monetize their skills and knowledge through mobile apps. However, the database seems incomplete as it lacks data on all apps and users. Additionally, there were personal identifiable information (PII) and images that might not have been meant for public access.

Exposed files with personally identifiable information (PII) such as names, emails, addresses, and payment details pose significant risks. Criminals could use this data for phishing and social engineering attacks, with 98% of cybercrimes starting from such methods.

Check Also

Microsoft Exchange Servers

Hacker Target 70+ Microsoft Exchange Servers to Steal Credentials with Keyloggers

Unidentified hackers are targeting exposed Microsoft Exchange servers to inject harmful code into login pages …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2025, All Rights Reserved InfoSecBulletin