Language learning app reveals users’ sensitive information
8Belts, a maker of language-learning apps, leaked sensitive personal information on hundreds of thousands of users around the world from an unsecured cloud database, researchers said in a report Friday. The information included national identity numbers, as well as names, email addresses and phone numbers.
The database was accessible to anyone who had the right IP address, since at least April 15 when researchers Noam Rotem and Ran Locar encountered it online as part of a project that discovers database exposures on the internet. The researchers published their findings with vpnMentor, a website that reviews virtual private networks and earns commissions when readers click its links and purchase products. The earliest records in the 8Belts database, which has since been taken offline, were from 2017.
The company has customers around the world, and the researchers found information from users in almost every country, they said. The 8Belts website lists many major companies as clients, including mobile communications giant Huawei, sporting goods retailer Decathlon, and multinational auditing firm PricewaterhouseCoopers. Most of the entries in the database came from Spanish-speaking countries, the researchers said.
8Belts, which is based in Spain and offers courses in English, French, German and Chinese, didn’t respond to multiple requests for comment.
The discovery is among many made by security researchers of data exposed in the cloud. Other poorly secured databases have revealed information on treatments received by drug rehab patients in the US, the national ID numbers of moviegoers in Peru, and before-and-after photos of plastic surgery patients from clinics around the world.
Exposed data creates a risk of identity theft, as criminals use information stolen from companies to open up new lines of credit. It can also be abused by marketing companies or fraudsters, who may contact people using emails and phone numbers found exposed online. It’s unclear whether anyone other than the researchers accessed the 8Belts data.
As more companies move customer information into the cloud, they often lack the expertise to do so securely. Cloud providers like Amazon have tried to make it easier to set up databases securely by default, and cloud software makers like MongoDB have built products to lock data up tight even when it’s in the cloud. Still, the problem persists, security researchers have found. A community of web detectives, some professional and some hobbyists, scan the internet for exposed data and try to get it secured.
The 8Belts database was hosted by Amazon Web Services, or AWS. Cloud providers don’t set up the databases, and it’s a company’s responsibility to store customer data securely once it’s on the cloud. By default, AWS makes data on a cloud storage system called S3 buckets viewable only to account owners. A company would have to turn this feature off in order to leave data exposed.
A database manager might do this intentionally to make things easier for people who need access to the data. It could also be done unintentionally. Coding guides that aim to help novices set up cloud databases provide templates that database managers can copy and paste. Those templates often turn off password protection, a problem that MongoDB security principal Kenn White told TechNews erodes database security.
The exposed 8Belts data also appeared to contain information on users’ course histories and performance in the language learning courses, as well as information about 8Belts’ computer systems that could have been valuable to hackers looking to compromise the company, the researchers said.