A major data breach has exposed the personal information of over three million individuals, including high school student-athletes and college coaches, according to cybersecurity researcher Jeremiah Fowler.
The unprotected database, which was discovered by Fowler and reported to vpnMentor, contained more than 3.1 million records and 135 GB of data, including sensitive personally identifiable information (PII) such as names, phone numbers, emails, addresses, and even passport data.
The records appear to belong to PrepHero, a Chicago-based recruiting platform operated by EXACT Sports, which helps high school athletes connect with college programs. Among the exposed data were unencrypted .CSV files containing links to passport images of student-athletes, contact details of parents and coaches, and a folder labeled “mail cache” containing 10 GB of email correspondence dating from 2017 to 2025.
Neither Encrypted, Nor Password-protected
Fowler reported that the database wasn’t password-protected or encrypted, making it publicly accessible. In a limited review, he found emails containing temporary login credentials, communications between athletes and coaches, and links to personal recruiting profiles. Some emails also referenced financial compensation or reimbursement details.
Audio recordings of coaches evaluating student performance were also stored in the database, including their names and college affiliations.
While the breach has now been mitigated (Fowler submitted a responsible disclosure, and the database was taken offline the same day) it isn’t clear how long the information was exposed or whether it was accessed by bad actors. It is also unknown whether the database was directly managed by PrepHero or a third-party contractor.
Young Athletes at Risk
Fowler emphasized the potential consequences of such a breach, particularly for young athletes who may be unaware of identity theft risks. “Most young people have never had a credit check, and they may not actively monitor their financial profiles, making it possible that identity theft attempts could go undetected for a very long time,” he said.
“The worst-case scenario would probably be discovering years later, when applying for credit cards or jobs, that criminals have used their personal information and damaged their credit without their knowledge. I am not saying any student athlete or individuals affiliated with PrepHero are at risk of identity theft or the misuse of their personal information. I am only highlighting a hypothetical real-world risk scenario of how criminals could use this type of exposed data,” Fowler added.
He also warned that the exposed contact information could be used in phishing scams or social engineering campaigns targeting students, parents, and coaches. “Coaches could also potentially be targeted with spear-phishing attacks that impersonate trusted sports organizations, colleges, or even pretend to be affiliated with PrepHero or a similar organization.”
Recommendations for Prevention
In his report, Fowler offered recommendations to reduce the risk of similar incidents in the future:
- Use password-protected content management systems (CMS) or customer relationship management systems (CRM) rather than unsecured cloud-based spreadsheets.
- Implement multi-factor authentication (MFA) for all user accounts.
- Encrypt sensitive documents and routinely purge outdated records.
- Avoid sending open-access web links containing PII via email.
- Conduct internal audits and log access to data repositories.
He clarified that his analysis was for educational purposes and does not allege wrongdoing by PrepHero, EXACT Sports, or their affiliates. He stated that he does not download or misuse any data he discovers and only captures limited screenshots to verify exposures before responsibly disclosing them.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.