RFEF Coaching Academy Allegedly Exposed Student Documents Through Misconfigured Firebase

A threat actor alleges a Firebase misconfiguration exposed student identity documents and enabled enumeration of more than 113,000 authentication user identifiers at the RFEF coaching academy.
Redacted forum post alleging a Firebase misconfiguration affecting the RFEF Coaching Academy. The screenshot describes publicly accessible student documents, claims more than 113,000 authentication user IDs could be enumerated, and shows a blurred sample of the allegedly exposed files.
Screenshot of the forum post alleging that a misconfigured Firebase deployment exposed student documents associated with the Royal Spanish Football Federation’s coaching academy. The post claims identity documents, profile photos, invoices, and other files were publicly accessible, while more than 113,000 authentication user IDs could also be enumerated.

A threat actor has claimed that a misconfigured Firebase deployment left sensitive student documents belonging to users of the Royal Spanish Football Federation’s (RFEF) coaching academy publicly accessible without authentication.

According to the forum post, the exposure affected academia.rfef.es, the online platform used by La Academia de Entrenadores RFEF. Rather than claiming a traditional network intrusion, the actor alleges they discovered publicly accessible cloud storage and database resources that could be browsed without authentication.

Identity documents allegedly exposed

The threat actor claims the exposed storage contained documents uploaded by students during the enrollment process, including scans of Spanish national identity cards (DNI), profile photographs, invoices, and personal images.

According to the post, approximately 16 users had files stored within the publicly accessible bucket. The actor also alleges the exposed files included training materials, administrative documents, presentation images, and course resources.

BreachNews is not reproducing filenames, storage paths, or other technical details that could facilitate unauthorized access.

Claim centers on Firebase configuration

Rather than alleging exploitation of a software vulnerability, the threat actor attributes the exposure to improperly configured Firebase services.

The post claims the cloud storage bucket allowed unrestricted file listing and downloads without authentication. It also alleges that a Firebase Realtime Database permitted enumeration of approximately 113,681 authentication user identifiers, although the actor states those records did not themselves contain personally identifiable information.

According to the claim, the exposed authentication identifiers could potentially be correlated with documents stored in the publicly accessible cloud storage.

Cloud misconfigurations remain a common risk

Publicly accessible cloud storage continues to be one of the most common causes of inadvertent data exposure. When identity documents, invoices, or other personal records are stored without appropriate access controls, they may become accessible to anyone who discovers the storage location.

Although the alleged number of users with exposed documents appears limited, government-issued identity documents such as Spanish DNI cards represent highly sensitive personal information that could increase the risk of identity fraud or targeted phishing if exposed.

At the time of publication, the Royal Spanish Football Federation had not issued any public statement regarding the alleged exposure.

Picture of m00s3c

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.

Latest News

Newsletter signup

Get the latest data breach and security news.

Please wait...

Thank you for signing up!

BREACHNEWS.COM/SUPPORT/

Support Independent News.

Help support breach monitoring, investigations, infrastructure, and reporting.

Support the site
INTEL.BREACHNEWS.COM

Live Cyber
Threat Map

Explore live cyber activity, recent breach reports, KEV alerts, and public threat feeds from a single interactive dashboard.

Launch Threat Map