8Belts, a developer of language learning applications, leaked sensitive information from hundreds of thousands of users around the world through an unsecured database, a group of researchers said in a report on Friday, May 29, 2020. The Information included national identification numbers, as well as names, email addresses, and telephone numbers.

The database had been exposed since April 15 to anyone with the correct IP address, when researchers Noam Rotem and Ran Locar discovered it as part of a project to search for unprotected databases on the Internet. The researchers published the report in conjunction with vpnMentor, a website that analyzes virtual private networks (VPNs) and receives commissions when users click on links on their site and purchase those products. The oldest traces from the 8Belts database, which has already been disconnected, are from 2017.

The language app company has clients worldwide, and researchers found information from users in many countries. The 8Belts website lists a number of major companies among its clients, including Chinese giant Huawei, sporting goods maker Decathlon, and accounting auditing multinational PriceWaterhouseCooper. Most of the information in the database comes from Spanish-speaking countries, according to the researchers.

8Belts, which is based in Spain and offers courses in English, French, German and Chinese, did not respond to multiple requests for comment.

The discovery of information exposed in the cloud is one of many similar that security researchers have made. Other databases that were not properly secured have leaked information, for example, from patients in drug rehabilitation in the United States. National identification data of cinema goers in Peru and before and after photos of plastic surgery patients from clinics around the world.

The exposed data creates an identity theft risk as criminals use the stolen information to open new lines of credit. Also, information can be abused by marketing companies or scammers who could contact people using emails or phones exposed on the Internet. It is unclear if anyone other than investigators had access to the 8Belts information.

As more companies put their customers’ information in the cloud, they often lack the expertise to do so securely. Cloud service providers, like Amazon, have tried to make it easier to set up secure databases by default, and cloud software developers, like MongoDB, have designed products to securely block access to data. even when they are in the cloud. But the problem persists. A web detective community, some professionals and others amateurs, scan the Internet to discover exposed data and try to make it safe.

The 8Belts database was hosted by Amazon Web Services or AWS. Cloud service providers are not in charge of establishing the database and it is the company’s responsibility to securely store their customer data in the cloud. AWS defaults that only its customers can see data in their S3 folders, and the company would have had to disable this feature in order for the data to be exposed.

A database manager might intentionally do this to make it easier for people who need the data to access it. It could also have been done inadvertently. The guides to help establish databases in the cloud provide models that database managers can copy and paste. Those models often disable password protection, a problem Kenn White, chief security officer at MongoDB, told CNET that it erodes database security.

The exposed 8Belts information appeared to contain information about the performance of users in their language learning courses, as well as information about 8Belts’ computer systems, information that could have been valuable to hackers trying to compromise the company, say the researchers.