A major data exposure incident involving Passion.io, a no-code app-building platform, has raised concerns over user privacy and data security. A publicly accessible database containing over 3.6 million records—amounting to 12.2 terabytes of unencrypted data—was discovered without any password protection. The breach included sensitive personal information from users and app creators who rely on the platform to launch and monetize mobile applications.

In a limited review of the exposed content, internal documents, images, and spreadsheet files labeled “users” and “invoices” were found. These included names, email addresses, physical addresses, and details related to payments or payouts, potentially impacting both end users and app creators who use Passion.io to deliver interactive course content.

The exposed database was traced to Passion.io, a company based in Texas and Delaware, known for providing a user-friendly app development solution for entrepreneurs, influencers, and educators. The breach was quickly reported through a responsible disclosure notice, after which the database was secured the same day. Passion.io responded promptly, confirming receipt and stating that their privacy officer and technical team were actively addressing the issue to prevent any recurrence.

Despite this swift action, questions remain. It is currently unclear whether the database was directly managed by Passion.io or a third-party vendor. The duration of the exposure is also unknown, and there is no confirmation whether unauthorized parties accessed the information before it was secured. Only a thorough internal forensic investigation could clarify the extent of potential misuse or intrusion.

Although Passion.io claims to have helped launch over 15,000 mobile apps with more than 2 million paying users, the exposed records did not appear to represent the entire user base. However, the presence of personally identifiable information (PII) and private images raises serious concerns about data governance and third-party risk management.

This incident serves as a reminder of the critical importance of securing cloud databases, especially when they contain sensitive financial and personal data. While Passion.io is taking steps to address the breach, the event underscores broader issues around platform security in the no-code and creator economy space.