A significant security breach at PrepHero, a college recruiting platform, has revealed millions of unencrypted records containing sensitive personal information, including passport images of student-athletes.
Recent findings exposed over three million personal records of young athletes and their coaches unprotected online. This discovery was made by Jeremiah Fowler, a cybersecurity researcher with vpnMentor, who reported the incident on May 12, 2025.
The compromised database, which belongs to the Chicago-based company PrepHero, operates under EXACT Sports. PrepHero assists high school athletes in creating recruiting profiles for college sports programs and facilitates direct communication with coaches at prominent universities with the goal of securing sports scholarships.
According to Fowler’s investigation, shared with Hackread.com, the exposed database contained an astonishing total of 3,154,239 records, amounting to approximately 135 gigabytes of data, and was devoid of any password protection or encryption measures. Initial examinations of the database revealed a wealth of sensitive information, encompassing names, phone numbers, email addresses, home addresses, and passport information. Additionally, it included contact details for parents and coaches, along with unprotected files linking to athletes’ passport images.
Compounding the seriousness of the incident, the database also housed a folder named “mail cache,” which contained 10 gigabytes of email messages from 2017 to 2025. This folder included personalized links to publicly accessible pages revealing names, birth dates, email addresses, home addresses, and compensation details. Some emails featured temporary passwords, further exacerbating privacy risks. Audio recordings featuring coaches discussing their evaluations of student-athletes were also included within the cache.
Upon discovering these vulnerabilities, Fowler promptly notified PrepHero, which then took swift action to secure the database and restrict further unauthorized access. While the exposed data has been traced back to PrepHero, it remains uncertain whether the database was managed internally or by an external provider. Additionally, the timeline of how long this sensitive information was publicly accessible is undetermined, raising concerns about potential unauthorized access prior to Fowler’s findings.
The Vulnerability of the Education Sector
Recent trends indicated a marked increase in cyberattacks targeting the education sector. In April 2025, Check Point reported that educational institutions face growing cyber threats. This includes a recent incident involving PowerSchool, which confirmed it paid a ransom after a ransomware attack compromised the personal data of students and educators.
Furthermore, reports revealed that iClicker, a widely utilized student engagement platform, fell victim to a ClickFix attack, underlining the severe risks of unprotected databases. Fowler emphasized the unique vulnerability of student-athletes, who are often young and may lack established credit histories, making them prime targets for identity theft. The exposed data could be exploited to open fraudulent accounts unnoticed, while the contact information of students, parents, and coaches could be used for targeted phishing schemes.
Given the potential ramifications, stakeholders associated with PrepHero and EXACT Sports are urged to remain vigilant against phishing and social engineering attempts. Utilizing secure content management systems with access controls, employing multi-factor authentication for all accounts, and encrypting sensitive documents are critical measures to minimize the impact of any potential data breaches.
Fowler cautioned against sending emails containing unique web links to pages with personally identifiable information (PII), recommending such links only be accessible through proper login credentials to avert unauthorized or accidental access.
