Users of Spanish e-learning platform 8Belts had their data compromised after a misconfiguration, said Security Magazine. More than 150,000 students worldwide are affected by the security flaw.
The breach was found by a team lead by Noam Rotem and Ran Locar from vpnMentor. The report said that an erroneous Amazon Web Services S3 bucket configuration caused the issue, which made it susceptible to malicious access.
The bucket, which is used to store user information and the platform’s core processes, contained personally identifiable data such as full names, dates of birth and country of residence. It also contained contact info such as phone numbers and email addresses.
More importantly, the flaw has made confidential information such as National ID numbers and Skype IDs available for cyber attackers.
On top of personal info, the vulnerability also exposed students' learning-related data such as their account details, performance, and course history. Account user IDs, scores, certifications, and gift cards were able made available.
In terms of internal processes for the operation of the platform, the s3 bucket’s exposure also revealed the integration specifics of 8Belts. It showed site logs explaining the integration system used by the platform.
These core data could be used by attackers to further access the platform’s system and to steal more user information.
According to Security Magazine, the e-learning engine is not only used by individual users. It is also utilized by a variety of private users such as Bridgestone, Deloitte, Huawei, PricewaterhouseCoopers, and Santander.
The data of these corporate clients are also stored in the compromised s3 bucket. Security Magazine clarified that users from such customers could have used company contact numbers and emails, unlike individual ones that likely used personal ones.
However, corporate clients are warned that “hackers could target these employees with highly effective phishing emails embedded with malware,” said the report from vpnMentor. Moreover, the report said, “it would only take one person within a company to click a button in these emails and expose a company’s entire network to attack.”
The research team also waned 8Belts of the impact of the vulnerability, especially as it in a Spain-based platform, which means that it is covered by the European Union’s General Data Protection Regulation (GDPR).
Should the data be obtained by malicious parties, the company will be subjected to investigations and audits. Legal action and fines could also apply in accordance with GDPR policies.
