Data Breach at College Sports Scholarship and Recruitment Assistance Platform Exposes Over 3 Million Student-Athlete Records Online

A treasure trove of data belonging to 3 million individuals, primarily student-athletes, their families, and college coaches, was left unprotected online. Cybersecurity researcher Jeremiah Fowler’s discovery of the non-password-protected database once again highlights just how easily individuals with an internet connection can access sensitive data if they know where to look.

This recent data snafu was linked to PrepHero, a college sports scholarship and recruitment assistance platform based in Chicago.

Despite a lack of proof (for the time being) that malicious individuals stole the data, netizens still need to be aware of the long-term risks that accompany data breaches like this.

What Was Exposed?

According to Fowler, the database, which was secured on the same day it was discovered, contained no fewer than 3,154,239 records, totaling 135 GB.

A sample review of the database revealed personally identifiable information (PII), including:

• Full names, phone numbers, email addresses, and physical addresses
• Passport information and images linked via unsecured .CSV files
• Direct communication records between student-athletes and coaches
• Temporary account credentials shared via email
• Audio files of coaches giving recruitment evaluations

“In a limited sampling of the exposed documents, I saw names, phone numbers, emails, physical addresses, and passport data of students, as well as contacts of parents and college sport coaches,” Fowler said. “The database also contained unprotected.CSV documents with links to passport images of student athletes. I immediately sent a responsible disclosure notice to PrepHero, and the database was restricted from public access the same day and no longer accessible.”

It’s unclear how long the data was publicly accessible, whether it was managed by PrepHero directly or by a third-party contractor, or if any unauthorized parties accessed it during the exposure.

Why This Matters: Long-Term Risks for Young People

Most students haven’t yet built a financial history, making their identities low-risk targets for banks—but prime targets for fraudsters. Identity theft involving minors may go unnoticed for years until victims apply for loans, jobs, or apartments—only to discover they’ve been compromised.

In this scenario, stolen passport images, addresses, and contact info could allow criminals to:

• Open fraudulent accounts in a student's name
• Apply for benefits or loans using fake identities
• Launch targeted phishing attacks on students, parents, or coaches
• Spear-phish recruiters posing as a trusted party

The exposure of audio evaluations and private communications could even affect the reputations or recruitment prospects of those involved.

How to Protect Your Identity After a Breach

If you believe your personal information may have been exposed, take action now—especially if you're a student-athlete, a parent, or a coach using recruiting platforms.

Watch out for scams and phishing by scrutinizing all unsolicited emails and communication. You can use free scam detection tools to help you easily sift through suspicious messages and links – checkout Bitdefender Scamio and Bitdefender Link Checker.

Never provide personal or financial information out of the blue, and make a habit of requesting a credit report annually to look for anything suspicious or inconsistent. At the same time, you can opt for a credit freeze.

To upgrade your security, we highly recommend monitoring your digital footprint.

Tools like Bitdefender Digital Identity Protection (DIP) continuously scan for your personal data across the web, data leaks, and the dark web. It alerts you in real time if your identity is found in a breach—giving you the chance to act before it's too late.

With DIP, you can:

• See which of your accounts or passwords have been exposed
• Monitor your identity across hundreds of databases
• Get personalized risk reports and privacy recommendations
• Receive alerts if your personal data appears in databases traded on the dark web.

While the PrepHero exposure may have been accidental and responsibly addressed, the privacy risks are real and lasting. Even if no malicious access occurred, the incident highlights the urgent need for proactive identity protection, robust access control, and improved data hygiene practices.

If you’re concerned about your personal information—whether from this incident or another—consider using Bitdefender Digital Identity Protection to help safeguard what matters most.