A threat actor has claimed that a misconfigured Firebase deployment left sensitive student documents belonging to users of the Royal Spanish Football Federation’s (RFEF) coaching academy publicly accessible without authentication.
According to the forum post, the exposure affected academia.rfef.es, the online platform used by La Academia de Entrenadores RFEF. Rather than claiming a traditional network intrusion, the actor alleges they discovered publicly accessible cloud storage and database resources that could be browsed without authentication.
Identity documents allegedly exposed
The threat actor claims the exposed storage contained documents uploaded by students during the enrollment process, including scans of Spanish national identity cards (DNI), profile photographs, invoices, and personal images.
According to the post, approximately 16 users had files stored within the publicly accessible bucket. The actor also alleges the exposed files included training materials, administrative documents, presentation images, and course resources.
BreachNews is not reproducing filenames, storage paths, or other technical details that could facilitate unauthorized access.
Claim centers on Firebase configuration
Rather than alleging exploitation of a software vulnerability, the threat actor attributes the exposure to improperly configured Firebase services.
The post claims the cloud storage bucket allowed unrestricted file listing and downloads without authentication. It also alleges that a Firebase Realtime Database permitted enumeration of approximately 113,681 authentication user identifiers, although the actor states those records did not themselves contain personally identifiable information.
According to the claim, the exposed authentication identifiers could potentially be correlated with documents stored in the publicly accessible cloud storage.
Cloud misconfigurations remain a common risk
Publicly accessible cloud storage continues to be one of the most common causes of inadvertent data exposure. When identity documents, invoices, or other personal records are stored without appropriate access controls, they may become accessible to anyone who discovers the storage location.
Although the alleged number of users with exposed documents appears limited, government-issued identity documents such as Spanish DNI cards represent highly sensitive personal information that could increase the risk of identity fraud or targeted phishing if exposed.
At the time of publication, the Royal Spanish Football Federation had not issued any public statement regarding the alleged exposure.











