Data Leak Hits App-Building Platform Used by Coaches, Influencers, and Entrepreneurs

Over 3.6 million records containing sensitive personal and financial data of app creators and users were left exposed online due to an unprotected and unencrypted database.

The public-facing data uncovered by cybersecurity researcher Jeremiah Fowler, linked to the no-code app-building platform Passion.io, contained a staggering 12.2 TB of data, including spreadsheet documents labeled “users” and “invoices,” names, email addresses, physical addresses, payment details, and profile images—some of which appeared to show children. Internal documents and videos uploaded by creators were also exposed, including files that may have been part of paid content or course materials.

A Wake-Up Call for the Creator Economy

Passion.io enables creators, coaches, and influencers to launch their own branded apps without coding knowledge. According to their website, over 15,000 apps have been created using their service, with more than 2 million paying users. This raises concerns about the exposure of personal identifiable information (PII), private course files, and internal invoices.

While Passion.io quickly restricted access and investigated the issue, the event underscores a broader issue: creators may rely on platforms for distribution, but they can’t always count on them for cybersecurity.

As noted in our recent article on social media account takeover attacks, attackers often start by targeting creators' weakest links—exposed credentials, reused passwords, or leaked personal data. From there, they can hijack accounts, steal monetized content, impersonate the creator, or launch scams under their name. A single lapse can have devastating effects.

The Passion.io exposure didn’t just reveal payment data and email addresses, it could have handed attackers everything they need to engineer a targeted scam or ATO (Account Takeover) attack.

Why This Matters for Creators

Whether you’re a coach, influencer, or entrepreneur, your digital presence is your brand—and your responsibility. While it’s not yet known whether threat actors accessed the exposed database, if cybersecurity researchers stumbled upon it, then others (by that I mean cybercrooks and hackers) could too. 

“Although the records appeared to belong to Passion.io, it is not known if the database was owned and managed directly by them or by a third-party contractor,” Fowler noted. It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.”

This potentially raises real-world risks such as:

• Phishing and impersonation: Leaked emails and invoice totals can help scammers craft fake messages that seem legitimate.
• Social engineering: Exposure of user data allows attackers to build detailed victim profiles, which are especially valuable when the target has influence or followers.
• Image misuse: Profile photos could be abused to create fake accounts or deepfakes. This risk is compounded when images of children are involved.
• Loss of revenue: Downloaded course files or video content could be shared or resold, undermining a creator’s entire business model.

“In addition to personal user data, I also saw a large number of video files and .pdf documents,” the report emphasized. “These appeared to be materials that app creators sell as part of their premium content. If these files were accessed without authorization and subsequently downloaded and shared online, it could undermine the revenue model for creators.”

You may also want to read:

• Essential YouTube Security Checklist for Creators in 2025
• Content Creators: Protecting Your Channel’s Community and Avoiding Impersonators and Scams in Comments
• Top Steps to Secure Social Media Accounts

Bitdefender Security for Creators: Built for Your Content, Brand, and Identity

No matter which platform you use, you need security tailored to your work as a creator. That’s where Bitdefender Security for Creators comes in.

This specialized solution goes beyond antivirus. It helps protect you from the exact types of threats exposed in this case, unauthorized access, content theft and more.

Bitdefender Security for Creators was built exactly for this, AKA creators with reach, teams, and something worth protecting. Key features include:

✅ 24/7 YouTube account monitoring
✅ Advanced phishing and malware protection
✅ Full-device security for you and your team
✅ Guided account recovery if anything goes wrong

Keep Your Guard Up After Any Exposure

Whether you're a Passion.io user or publish on other platforms, it’s smart to take precautions:

• Change your passwords and never reuse them across services.
• Turn on two-factor authentication for all your creator accounts.
• Be cautious with emails claiming to be from the platform – verify links and never rush to respond.
• Back up your content offline and avoid keeping unreleased materials on shared clouds or unprotected drives.
• Use security tools that give you visibility into how your data is used or accessed.

If your content is your income, if your brand is your business, then your security is your responsibility. Don’t wait for an attack to realize what’s at stake. Protect your work, your audience, and your future with solutions designed specifically for creators.

Get protected today →