Education App 8Belts Used Unsecured Database, Exposing Sensitive Info Of 150,000 Students
Spanish e-learning platform 8Belts is the latest victim of a data breach, affecting 150,000 users across the globe. The breach was uncovered by vpnMentor's research team.
vpnMentor's report indicated that the data breach started from a misconfigured Amazon Web Services S3 bucket, exposing the private data of 8Belts users, and making them vulnerable to dangerous cyberattacks. S3 bucket held various types of data, all from users of 8Belt, as well as the platform's internal processes, according to the researchers.
Stored in CSV format, users' records contained personally identifiable information (PII) data for individual 8Belts users, such as email addresses, full names, country of residence, date of birth, and phone numbers. In addition to the PII of 8Belts users, Skype IDs and national ID numbers of both teachers and students have been exposed online as well.
What's more, the courses that students took had been left for actors to exploit online, as well as certificates of completion, evaluation scores, account user IDs, and how well students performed. Virtual 8Belts gift cards to be shared with friends were also accessible via the exposed S3 bucket.
The S3 bucket that was exposed had with it site logs that detailed how 8Belts integrates with external CRM systems. In addition to exposing PII data of users, these logs also revealed considerable technical information that could be exploited by hackers to gain further access to 8Belts' platform.
8Belts is not only popular among private users -- the e-learning platform is also being used by well-known companies to help out employees learning new languages. 8Belts' website lists some of the world's biggest multinational companies, boasting them off as clients, such as Huawei, Renault, Decathlon, Inditex, Bridgestone, and several others.
The PII data of the platform's corporate clients are stored in the exposed S3 bucket as well, which implies that their data or their workers' data have been exposed online as well.
A database manager might do this intentionally to make things easier for people who need access to the data. It could also be done unintentionally.
Coding guides that aim to help novices set up cloud databases provide templates that database managers can copy and paste. Those templates often turn off password protection, a problem that MongoDB security principal Kenn White told CNET erodes database security.
8Belts, created in Spain, was partly financed by the European Union's European Regional Development Fund (ERDF) and Spain's Ministry for Energy, Tourism, and Digital Agenda, meaning the company falls within the jurisdiction of the EU's GDPR.