A safety lapse on PrepHero, a university recruiting platform, uncovered thousands and thousands of unencrypted information, together with delicate private particulars and passport photographs of student-athletes.
A large quantity of non-public data belonging to over three million people, together with younger athletes hoping for faculty scholarships and their coaches, was not too long ago discovered unprotected on-line. vpnMentor’s cybersecurity researcher Jeremiah Fowler found this uncovered database and reported it on Could 12, 2025.
Based mostly on the knowledge within the database, it belonged to a Chicago-based firm referred to as PrepHero, operated by EXACT Sports activities. To your data, PrepHero helps highschool athletes create recruiting profiles for faculty sports activities applications and facilitates direct communication between athletes and coaches at famend universities, aiming to safe sports activities scholarships.
In keeping with Fowler’s investigation, shared with Hackread.com, this database contained a staggering 3,154,239 information (totalling round 135 gigabytes) and was not secured with a password or any type of encryption.
Fowler’s preliminary checks revealed delicate details about student-athletes, together with names, telephone numbers, e mail addresses, dwelling addresses, and passport data. The database additionally contained contact particulars for fogeys and coaches, in addition to unprotected pc information with scholar athletes’ passport picture hyperlinks.
Including to the severity of the publicity, the database contained a folder labelled “mail cache” holding 10 gigabytes of e mail messages spanning from 2017 to 2025. The folder contained customized net hyperlinks to publicly accessible pages displaying names, beginning dates, e mail addresses, dwelling addresses, and compensation particulars.
Some emails additionally included short-term passwords, posing additional privateness dangers. Audio recordings of coaches stating their names, faculties, and evaluations of scholar athletes’ strengths and weaknesses had been additionally discovered.
Fowler promptly disclosed this discovery to PrepHero, which rapidly secured the database, stopping additional public entry. Whereas the uncovered information have been linked to PrepHero, it’s but unclear whether or not this database was immediately managed or an exterior firm was answerable for its administration. Moreover, it’s additionally unclear how lengthy the delicate data was accessible on-line earlier than Fowler’s discovery or if anybody else might need accessed it.
Schooling Sector is Already Susceptible
As famous in Examine Level’s April 2025 malware report, cyber assaults on the schooling sector proceed to rise. Simply final week, edtech big PowerSchool confirmed it paid ransom after a December 2024 ransomware assault that uncovered the private information of scholars and academics.
In the meantime, new reviews reveal that the official web site of iClicker, a extensively used scholar engagement platform, was hacked in a ClickFix assault. Having a database uncovered to cyber criminals is worse than leaving your entrance door broad open, it’s an open invitation with much more at stake.
Fowler highlighted the privateness dangers related to exposing scholar athletes’ private data, as they’re typically younger and lack credit score histories, making them weak to identification theft. Criminals may use this information to open fraudulent accounts with out fast detection. College students, dad and mom, and coaches’ contact data could possibly be exploited for focused phishing assaults and scams, with coaches additionally prone to spear-phishing makes an attempt.
Contemplating these repercussions, people related to PrepHero or EXACT Sports activities should stay cautious about phishing/social engineering makes an attempt, use safe content material administration methods with entry controls, use multi-factor authentication for all accounts and encrypt delicate paperwork to attenuate the influence of potential information breaches.
“Sending emails with distinctive net hyperlinks to surveys or open webpages that include PII must be restricted and solely accessible with login credentials to forestall unauthorized or unintended entry,” Fowler suggested.
