Binary dataSuebsiri Srithanyarat / EyeEm / . / EyeEm

A misconfiguration of the cloud storage services of the language learning company 8Belts has left the data of more than 150,000 users around the world exposed for a period yet to be determined, according to a research by vpnMentor to which it has had access EL PAÍS. This Israeli cybersecurity company ensures that among the exposed data there is private information such as names, email addresses, phone numbers, dates of birth, DNIs, places of residence and Skype user names. In addition to private users, personal identifying information about their corporate clients also appears in the lists. This newspaper contacted 8Belts last Wednesday, which has claimed to be investigating what happened and for the moment has ruled out making more statements about it.

The Spanish company 8Belts was founded in 2011 and offers Spanish-speaking users online courses to learn languages. He claims to have “the only method in the world that guarantees to speak English, French, German and Chinese in eight months.” Among its clients, there are companies such as BBVA, Acciona, Huawei, Telefónica, Inditex, Banco Santander, Ogilvy, Iberdrola and Real Madrid. This is indicated on its website, where it also indicates that the project has been co-financed by the Ministry of Energy, Tourism and Digital Agenda and the European Regional Development Fund (ERDF).

The researchers at vpnMentor had access to several lists stored in CSV format, which contained “personally identifiable information on each 8Belts user”: “Only one list exposed the information of more than 150,000 people. Taken together, we estimate that the lists compromised the safety of hundreds of thousands of people. ” Noam Rotem and Ran Locar, who have led the investigation, explain by email that they cannot give a specific number of users since they did not open all the files.

People from all over the world

The security breach, according to the research, has affected people around the world, “although the majority of 8Belts users reside in Spanish-speaking countries”: “The records included data from residents of practically every country on the planet, from six continents. From the United States to Uzbekistan, Australia, Angola, Belgium or Barbados ”. In addition to the aforementioned personal information, the researchers point out that the course history, performance and information from the students’ accounts were also exposed. For example, courses taken, user names, grades, course completion certificates, and 8Belts gift cards to share with friends.

Among those affected, they explain, were employees of companies such as Bridgestone, Decathlon, Huawei, Inditex, PricewaterhouseCoopers, Real Madrid, Renault and Santander. “They used their company’s work email address to subscribe to the service. There may be more, since we are working with samples and not with the complete data. Furthermore, we also cannot reveal the names of companies that are not 8Belts clients ”, affirm Rotem and Locar. There are still some unresolved questions. They do not know since when this information has been exposed or if someone else has had access to it: “We know that it was at least open from the day we found it, on April 16, until they resolved it, on May 28”, they explain.

The oldest records they found date back to 2017. The cybersecurity company found the information unprotected while conducting a web mapping that it routinely searches for security holes. I wasn’t looking for anything specific, I just stumbled across this database. In this way, you have already found other gaps before. In February, he alerted to a failure in Decathlon Spain that left the data of 36,704 clients unprotected. A few months earlier, in 2019, he also warned that a security breach in a private server had exposed millions of data of Ecuadorian citizens.

A configuration error

In this case, the exposed database was an S3 bucket of Amazon Web Services (AWS) services. S3 buckets are a type of cloud storage. A kind of containers in which companies can store information. When you start using S3, the default settings only allow those containers to be accessed by the account owner and administrator, according to AWS.

But the customer can change the settings and give other people access. That’s where a problem can occur if it’s not done properly. “It appears that 8Belts misconfigured their user permissions, exposing all the data in the S3 bucket,” explains the investigation, which emphasizes that it is not an AWS failure, but the result of an owner error. . The quickest way to fix this bug is to make the bucket private and add authentication protocols, according to the researchers, who recommend following AWS guidelines.

When the researchers found this database and while determining the scope of their find and whether 8Belts was the owning company, “new records were still being created.” After confirming this, attempts were made to contact the company and they also notified Amazon Web Services. This newspaper contacted 8Belts last Wednesday, which it claimed was not aware of the error. A day later the configuration error was fixed, according to vpnMentor. This newspaper has contacted 8Belts on several occasions, but the company has ruled out making any type of statement until the end of “all checks.”

Targeted attacks

“All this private information could be combined and used in various ways to launch attacks targeting those affected for fraud or theft,” say the researchers. They qualify the error as “a significant flaw in 8Belts security protocols.” Cyber ​​criminals, they point out, could use names, email addresses, phone numbers, and DNIs to commit identity theft. The victims would be vulnerable “to a whole series of bank, credit, tax or employment frauds with devastating results.”

In addition, they point out that having exposed the history and activity of users in 8Belts, cybercriminals could create phishing campaigns. That is, sending false emails to a victim posing as a company “to provide private financial information, such as credit card information, or click on a link that inserts malicious software on your device.”

The consequences, according to the researchers, could also be dire for companies: “Hackers could use the same tactics to specifically target companies whose employees are registered with 8Belts. As many employees have signed up with their work email address, hackers could attack them with highly effective phishing emails containing malware. It would only take one person from a company to click on a link in these emails for the entire company network to be vulnerable to attack, ”they say.