Tabiq, a hotel check-in and digital identity verification system, exposed more than one million passports, driver's licenses, and verification photos through an unsecured, publicly accessible data store. The exposure was discovered by an independent security researcher and confirmed after TechCrunch alerted the company. There is no evidence of a sophisticated intrusion: the records were left reachable by anyone with the right link, the result of a basic misconfiguration rather than an exploit.
What Happened
An independent researcher identified a publicly accessible repository of sensitive guest data belonging to Tabiq's hotel check-in platform. The data required no credentials, no authentication, and no exploitation to access. TechCrunch acted as the notifying intermediary, relaying the finding to Tabiq so the exposure could be closed. The reporting notes that AI-assisted tooling played a role in surfacing the vulnerability, reinforcing a growing pattern in which automated discovery outpaces the manual security hygiene meant to prevent these gaps. The length of time the data sat exposed before discovery remains unknown, which means the window for unauthorized access cannot be bounded.
What Was Taken
The exposed dataset is both large and high-sensitivity. It included over one million passports, driver's licenses, and verification selfie photos used to match guests to their identity documents. This combination is the worst case for identity fraud: a government-issued document paired with a live verification photo defeats many of the document-plus-liveness checks that financial institutions, telecoms, and other identity systems rely on. Unlike a leaked password, these credentials cannot be rotated. A passport number, a date of birth, and a face do not change, so the value of this data to fraudsters persists for years.
Why It Matters
Hotel check-in and identity verification vendors sit on a concentrated pool of exactly the documents needed to commit synthetic identity fraud, account takeover, and physical impersonation. When a single misconfigured store holds a million such records, one operator error becomes a population-scale breach. This incident echoes earlier exposures tied to digital document handling at companies such as Hertz and the Duc App, signaling a sector-wide weakness as travel, lodging, and rental businesses lean harder on digital ID verification. For defenders, the lesson is that the threat is not always an attacker breaking in. Often it is sensitive data being left out, and the strategic risk concentrates in third-party verification vendors that few of their downstream customers actively monitor.
The Attack Technique
No intrusion technique was required. The root cause was a misconfiguration that left a data store publicly accessible without authentication. This is the classic cloud exposure pattern: a storage bucket, database, or index provisioned with overly permissive access settings, then populated with production data. There was no malware, no phishing, and no privilege escalation. The "attacker" in this scenario is anyone, automated scanner or human, who happens upon an open endpoint. AI-driven scanning tools now index such endpoints continuously, shrinking the time between exposure and discovery to hours, which means a misconfiguration that goes unnoticed internally will rarely go unnoticed externally.
What Organizations Should Do
- Inventory and lock down data stores. Enumerate every storage bucket, database, and search index, and verify that none permit anonymous or public access. Default to deny and require explicit, audited grants.
- Continuously scan your own perimeter. Run automated external exposure scanning against your public IP and cloud asset ranges so you find open endpoints before researchers or criminals do.
- Minimize and segregate identity data. Avoid retaining passports, licenses, and verification photos longer than legally required, encrypt them at rest with strict key access, and isolate them from general-purpose storage.
- Vet third-party verification vendors. Demand evidence of access controls, encryption, and breach-notification commitments from any check-in or identity provider, and treat their security posture as part of your own attack surface.
- Establish a real intake for outside reports. Publish a security contact or vulnerability disclosure channel so researchers can reach you directly instead of routing through journalists.
- Alert on access-policy changes. Configure cloud monitoring to flag any change that makes a resource public, and treat such changes as high-severity events requiring immediate review.
Sources: Hotel Check-In Security Breach: Over 1 Million Passports Exposed (2026)