Major app-building platform Passion.io had data from over 3.6 million creators and users inadvertently leaked by an exposed database, reports Hackread.
Aside from revealing users' names, email addresses, and payment details, the misconfigured database also divulged user profile images, some of which were from children, videos, and PDF files, as well as internal financial records, according to an investigation by cybersecurity researcher Jeremy Fowler published on vpnMentor. Malicious actors could potentially leverage the exposed photos for impersonation and other online scams, said Fowler. Passion.io has moved to secure the unprotected database within the same day of being informed by Fowler, while committing to bolster its security defenses to prevent a reoccurrence. Organizations have been urged to mitigate accidental database exposures by implementing authentication and access controls, adopting robust data encryption protocols, automating real-time detection of server misconfigurations, ensuring routine security evaluations and penetration testing activities, and strengthening security training programs for DevOps and technical teams.
Aside from revealing users' names, email addresses, and payment details, the misconfigured database also divulged user profile images, some of which were from children, videos, and PDF files, as well as internal financial records, according to an investigation by cybersecurity researcher Jeremy Fowler published on vpnMentor. Malicious actors could potentially leverage the exposed photos for impersonation and other online scams, said Fowler. Passion.io has moved to secure the unprotected database within the same day of being informed by Fowler, while committing to bolster its security defenses to prevent a reoccurrence. Organizations have been urged to mitigate accidental database exposures by implementing authentication and access controls, adopting robust data encryption protocols, automating real-time detection of server misconfigurations, ensuring routine security evaluations and penetration testing activities, and strengthening security training programs for DevOps and technical teams.
