Cybersecurity Researcher Jeremiah Fowler identified and reported an unencrypted, non-password-protected database apparently belonging to a sports scholarship and recruitment assistance platform called PrepHero. Fowler sent a notice to PrepHero, and by the same day, the database was restricted and no longer accessible. It is unknown if anyone else accessed the database, or for how long it was exposed.

The database contained 3,154,239 records, amounting to 135 GB. Included in the records was a range of personally identifiable information (PII) of student-athletes, such as names, phone numbers, email addresses, physical addresses, and passport information. There were unprotected.CSV documents that included links to passport images of the students. Additionally, contact information of parents and college coaches were exposed. 

Furthermore, Fowler discovered a folder named “mail cache,” containing 10 GB of email messages between the years 2017 and 2025. Some messages included personalized links to publicly accessible pages that presented names, birth dates, email addresses, physical addresses, and compensation/reimbursement details. Some even contained account emails and login credentials. There were also audio files from coaches, in which coaches often stated their names, their affiliated college, and evaluations of individual students. 

If the data had fallen into the hands of malicious actor, young students could be vulnerable to identify theft due to a lack of established credit history. The exposure of contact information could leave individuals at risk of targeted phishing attacks or social engineering tactics.