A security lapse on PrepHero, a college recruiting platform, exposed millions of unencrypted records, including sensitive personal details and passport images of student-athletes. The exposed database contained 3,154,239 records and was not secured with a password or any form of encryption. Sensitive information such as names, phone numbers, email addresses, home addresses, and passport information of student-athletes was exposed. The database also contained contact details for parents and coaches, as well as unprotected computer files with student athletes’ passport image links. Additionally, a folder labelled 'mail cache' holding 10 gigabytes of email messages spanning from 2017 to 2025 was found, containing personalized web links to publicly accessible pages displaying names, birth dates, email addresses, home addresses, and compensation details.
Source: https://hackread.com/prephero-database-exposed-students-coaches-data/
TPRM report: https://scoringcyber.rankiteo.com/company/prephero
"id": "pre552051425",
"linkid": "prephero",
"type": "Breach",
"date": "5/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 3154239,
'industry': 'Education/Recruiting',
'name': 'PrepHero',
'type': 'Company'}],
'attack_vector': 'Unsecured Database',
'data_breach': {'data_encryption': 'None',
'file_types_exposed': ['Database Records',
'Email Messages',
'Passport Image Links'],
'number_of_records_exposed': 3154239,
'personally_identifiable_information': ['Names',
'Phone Numbers',
'Email Addresses',
'Home Addresses',
'Passport Information',
'Birth Dates',
'Compensation '
'Details'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information',
'Communication Data']},
'description': 'A security lapse on PrepHero, a college recruiting platform, '
'exposed millions of unencrypted records, including sensitive '
'personal details and passport images of student-athletes. The '
'exposed database contained 3,154,239 records and was not '
'secured with a password or any form of encryption. Sensitive '
'information such as names, phone numbers, email addresses, '
'home addresses, and passport information of student-athletes '
'was exposed. The database also contained contact details for '
'parents and coaches, as well as unprotected computer files '
'with student athletes’ passport image links. Additionally, a '
"folder labelled 'mail cache' holding 10 gigabytes of email "
'messages spanning from 2017 to 2025 was found, containing '
'personalized web links to publicly accessible pages '
'displaying names, birth dates, email addresses, home '
'addresses, and compensation details.',
'impact': {'data_compromised': ['Names',
'Phone Numbers',
'Email Addresses',
'Home Addresses',
'Passport Information',
'Contact Details for Parents and Coaches',
'Passport Image Links',
'Email Messages'],
'identity_theft_risk': 'High',
'systems_affected': ['Database', 'Email System']},
'post_incident_analysis': {'root_causes': 'Lack of Password or Encryption'},
'title': 'PrepHero Data Exposure',
'type': 'Data Exposure',
'vulnerability_exploited': 'Lack of Password or Encryption'}