- Passion.io, an important application of applications without code, operated a database not protected by raisins
- The file contained millions of records, with a total size of around 12TB
- Since then it was blocked, but users must still be careful
Millions of records containing confidential information for personal identification, were sitting online in another non -encrypted database and not protected by raisins, experts warned.
Found by security researcher Jeremiah Fowler, who discovered and reported his findings for VpmentorThe database contained 3,637,107 records, and was 12.2TB in total size.
It belongs to a company called Pasion.io, a platform for the construction of applications without alaware code that allows creators, influential people, entrepreneurs and trainers, to create websites without having any previous coding knowledge. They can also create and sell interactive courses.
Blocking the file
Fowler said he analyzed a “limited sampling of the exposed documents” and saw internal files, images and spreadsheet documents marked as “users” and “invoices.”
These files contained names of people, email addresses, postal addresses and details about payments or payments for users and applying creators.
This type of information is a treasure for cybercriminals. They can use it to create convincing phishing emails, deceiving passion users to make reckless and dangerous decisions. In addition to phishing, data can be used in identity theft, wire fraud and other types of scams.
The researcher notified Passion.io about his findings and received an answer the same day. The database was blocked, and the company confirmed that it was working to place the railings in its place so that the mishaps like this are not repeated.
“We are treating this very seriously and moving forward quickly,” the company told Fowler.
Until now, there is no evidence that the information circulates on the dark website, and it is not known whether passion. It is the one that manages the database, or if the work was subcontracted to a third party.
Without thorough investigation, there is no way to know how long the database remained open, or if any threat actor has already found it.
