A Data Breach at Spanish E-Learning Platform 8Belts Affects More Than 150,000 Users Worldwide

8Belts Data Breach

8Belts is a Spanish online learning platform that specializes in foreign language courses. It was founded in 2011, and it was partly funded by the EU's European Regional Development Fund and the Spanish government. According to security researchers Noam Rotem and Ran Locar, however, 8Belts is used by people from all over the world, including Angola, Australia, Barbados, Belgium, USA, and Uzbekistan. You might be wondering how a couple of security experts know that many details about the userbase of an e-learning platform. Unfortunately, they found the information in an unprotected database.

Another day, another exposed database

As some of you may know, Rotem and Locar head a team of researchers working for VPNMentor. For the last few months, they have been working on a massive web mapping project with the goal of improving overall data security. In the process, however, they have shown how easy it is to expose gigabytes of private information.

Service providers make a number of mistakes, and one of the most common ones is leaving a database full of users' personal data in a publicly accessible Amazon Web Service S3 bucket. They often forget to protect the bucket with a password, and in the process, they inadvertently expose it to anyone with an internet connection. Plenty of companies have done it, and in mid-April, VPNMentor's researchers found out that 8Belts had joined the club.

8Belts put a production database in a public S3 storage bucket

Upon finding the database, the experts saw that some of the records in it dated back to 2017, but while they were trying to figure out who the owner is, they saw that information was being added in real time. In other words, it was an active production database that was collecting the details of brand new 8Belts users. There were quite a lot of details as well.

In one of the CVS files, the experts saw the records of no fewer than 150 thousand 8Belts users. Each record contained the following details:

  • Names
  • Email address
  • Phone number
  • Country of residence
  • Date of birth

Unfortunately, other files in the bucket contained yet more sensitive data, including the National ID numbers of both students and mentors.

The breach could have had horrific consequences for both 8Belts and its customers

You can already see that the Spanish e-learning platform was leaking a lot of personally identifiable information, and what the researchers described as "a significant lapse in 8Belts' security protocols" could have resulted in plenty of identity theft cases. Sadly, this was not all.

On its website, 8Belts brags about providing foreign language courses to the employees of a number of large, world-renowned businesses. Among its partners, you'll find companies like Huawei, Deloitte, PricewaterhouseCoopers, Santander, etc. Sure enough, the personal details of employees of these companies were also in 8Belts' database. This not only exposed the employees themselves, but it could have also put the learning platform's clients at risk.

In addition to this, VPNMentor's team discovered server logs that revealed how some of 8Belts' backend systems work. This information could have helped cybercriminals hack the online learning platform itself, causing an incalculable amount of damage.

The leaky bucket was quietly pulled offline

A few days after discovering the exposed information, the researchers tried to get in touch with 8Belts to disclose the breach and offer further assistance. While waiting for a response, they also contacted Amazon and informed the storage provider of the exposed information. In the end, they didn't receive a reply, but when they checked a few weeks later, they found out that the database had been pulled offline. Although VPNMentor published its report a couple of days ago, 8Belts has yet to offer anything that resembles an official statement.

Indeed, as is the case with many similar leaks, we've seen no evidence of any misuse of the exposed data, but this should never be a reason for ignoring the problem or pretending that it didn't happen. On the contrary, the discovery should serve as an incentive for 8Belts to show its customers that it's determined not to let this happen again.

June 4, 2020