SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
▣ Breach TABIQ-HOTEL-PASSPO 2026-05-19

Tabiq: 1M+ Passports Exposed via Public S3 Bucket

"Japanese hotel check-in platform Tabiq, operated by tech startup Reqrea, left more than one million customer passports, driver's licenses, and selfie verification photos publicly accessible on the open internet. The…"

Japanese hotel check-in platform Tabiq, operated by tech startup Reqrea, left more than one million customer passports, driver's licenses, and selfie verification photos publicly accessible on the open internet. The exposure was discovered by security researcher Anurag Sen and disclosed through TechCrunch, which alerted both Reqrea and Japan's national cybersecurity coordination team, JPCERT. The data has since been pulled offline, but the company cannot yet confirm whether unauthorized parties accessed it.

What Happened

Sen identified an Amazon S3 storage bucket named "tabiq" that had been configured for public access, meaning anyone who knew or guessed the bucket name could browse and download its contents without authentication. The bucket served as the backend storage for Reqrea's Tabiq product, a hotel check-in system that uses facial recognition and document scanning to verify guest identities at properties across Japan. After TechCrunch and JPCERT notified the company, Reqrea secured the bucket and began an internal investigation. Reqrea director Masataka Hashimoto stated the company does not yet know how the bucket came to be public and is reviewing access logs to determine whether the data was accessed by anyone other than the researcher.

What Was Taken

The exposed dataset contained more than one million records dating back to early 2020 and included high-value identity documents: scanned passports, driver's licenses, and live selfie photos used for biometric verification against those documents. Because Tabiq services hotels frequented by international travelers, the affected individuals span multiple nationalities, dramatically widening the potential blast radius beyond Japanese residents. This combination of government ID plus matching biometric selfie is among the most damaging breach payloads possible, as it provides everything needed to bypass downstream KYC and identity-proofing systems.

Why It Matters

Identity document leaks are uniquely persistent: unlike passwords, victims cannot rotate a passport or face. A leaked passport scan paired with a live selfie effectively neutralizes the "liveness" and "document authenticity" checks that fintech, crypto exchanges, age-verification services, and travel platforms rely on. As regulators worldwide push for stronger KYC and age-gating, services that collect identity documents are becoming high-value targets, while the operational maturity to safeguard that data has not kept pace. The Tabiq incident is the latest in a steady stream of similar exposures and signals that third-party identity-capture vendors deserve the same scrutiny that financial processors receive.

The Attack Technique

There was no attack in the traditional sense. The exposure stemmed from a misconfigured Amazon S3 bucket set to public access, despite AWS defaulting all new buckets to private and presenting explicit warning prompts when administrators override that default. No exploitation of a vulnerability, no credential theft, and no malware was required: the bucket name alone was sufficient to enumerate and download its contents. Misconfigured object storage remains one of the most common root causes of large-scale data exposure incidents, repeatedly outpacing sophisticated intrusion techniques in total records leaked.

What Organizations Should Do

  1. Enable AWS S3 Block Public Access at the account level, not just per-bucket, to prevent any bucket from being inadvertently exposed.
  2. Run continuous configuration drift detection (AWS Config, CSPM tooling, or open-source scanners like Prowler) against all cloud storage to flag public buckets, permissive ACLs, and missing encryption.
  3. Apply data minimization to identity verification pipelines: delete or tokenize passport scans and selfies as soon as verification completes rather than retaining them indefinitely.
  4. Require server-side encryption with customer-managed KMS keys for any bucket holding identity documents, so a misconfiguration alone is insufficient to read content.
  5. Enable S3 access logging and CloudTrail data events, and route alerts for anomalous read volumes or unauthenticated access patterns to a monitored channel.
  6. Conduct third-party assessments of identity-capture vendors before integrating them into customer onboarding flows, and contractually require breach notification SLAs.

Sources: Hotel check-in system exposed over 1 million customer passports | brief | SC Media