- Passion.io, a large application for creating applications without code, has exploited a database protected by cycle words
- The archive contained millions of files, with a total size of approximately 12 to
- Since then, it was locked, but users should always be careful
Millions of files containing sensitive and personally identifiable information, were seated online in another database not encrypted and not protected by passwords, experts warned.
Found by security researcher Jeremiah Fowler, who discovered and reported her results to vpnmentorThe database contained 3,637,107 recordings and had a total size of 12.2 TB.
It belongs to a company called Passion.io, a platform for creating applications without code based on Delaware which allows creators, influencers, entrepreneurs and coaches, to create websites without having prior coding knowledge. They can also create and sell interactive lessons.
Lock the archives
Fowler said he had analyzed a “limited sample of the documents on display” and had seen internal files, images and documents of calculation sheet marked as “users” and “invoices”.
These files contained the names of the people, the email addresses, the postal addresses and the details on payments or payments for users and creators of application.
This type of information is a treasure for cybercriminals. They can use it to create convincing phishing emails, encouraging passion users to make dangerous and dangerous decisions. In addition to phishing, data can be used in identity theft, wire fraud and other types of scams.
The researcher informed passion.io of his results and obtained an answer on the same day. The database was locked and the company confirmed that it was working on the implementation of railings so that misadventures like this are not repeated.
“We treat this very seriously and evolve quickly,” the company told Fowler.
So far, there is no evidence that the information is circulating on the Dark Web – and we also do not know if passion.io is the one that manages the database, or if the work has been outsourced to a third party.
Without an in -depth investigation, there is no way to know how long the database has remained open, or if threat actors have already found it.
