“8Belt” Exposed the Personal Details of 100,000s of Language Students

• “8Belt” has left an Amazon Web Service bucket exposed without setting up an access password.
• The unprotected server contained personal details about the students and also the teachers of the platform.
• Employees from several large companies have also been exposed as a result.

The Spanish e-learning platform “8Belts” has failed to secure its users' sensitive details, exposing a large number of people from around the world. The platform’s IT team has misconfigured an AWS S3 bucket discovered by security researchers Noam Rotem and Ran Locar on April 16, 2020. The vendor was contacted twice in the days that followed but failed to respond. The database was eventually secured on May 28, 2020, so the sensitive user data remained accessible online for about six weeks.

8Belts is a platform that helps Spanish speakers learn languages such as English, German, French, and Chinese. Thus, it has users from various countries and locations, including Spain, Latin America, Central America, and the Caribbean. Of course, Spanish speaking people are living everywhere in the world, and indeed the researchers confirmed entries from Australia, USA, Uzbekistan, Belgium, and more.

The data that has been exposed includes the following entries:

• Full names
• Email addresses
• Phone numbers
• Dates of birth
• Country of residence
• National ID numbers
• Skype IDs

There were various folders in the exposed bucket, some of which had data relating to the students, while others were meant to store the details of teachers. For example, there was a CSV file that contained the email addresses of 8Belts employees, opening the door to BEC (business email compromise) actors.

Apart from the above personal details, which would be a treasure in the hands of fraudsters, phishers, and scammers, there was also stuff relating to the language learning programs, from evaluation scores and performance history to user IDs and certificates of completion. This incident even exposed site logs that revealed critical details about the technical infrastructure of the 8Belts platform.

The researchers estimate that the event affected 100,000s of people worldwide. Besides private users, 8Belt was also collaborating with companies to offer language-learning programs to their employees. So, some of the people who work for large corporations have been compromised too. The list includes Bridgestone, Decathlon, Deloitte, Huawei, Inditex, PricewaterhouseCoopers, Real Madrid, Renault, and Santander.

All that said, this was a huge mistake from 8Belts, exposing regular language learners, causing headaches to firms that used its system, and also losing credibility. Being a Spanish company, 8Belts will now have to go through a GDPR-based investigation that will end up in some form of a penalty. 8Belts is engaging in the very competitive field of eLearning, so this security lapse alone could result in the demise of its business due to the above reasons.