Back

Misconfigured Cloud Storage Exposes Over 1 Million IDs from Tabiq Hotel System

Severity: High (Score: 64.5)

Sources: Techcrunch, Securityaffairs.Co

Published: 2026-05-18 · Updated: 2026-05-19

Keywords: hotel, check-in, system, million, passports, bucket, data

Severity indicators: pla, ot

Summary

A misconfigured Amazon cloud storage bucket exposed over one million passports, driver's licenses, and selfies from the Tabiq hotel check-in system, maintained by Reqrea, a Japanese startup. The data was publicly accessible due to the bucket being set to open access, allowing anyone to view the sensitive documents without authentication. Independent researcher Anurag Sen discovered the leak and alerted TechCrunch, which subsequently notified Reqrea and Japan's cybersecurity team, JPCERT. The exposed data included identity documents dating back to early 2020. Reqrea has since secured the bucket and is investigating the incident to assess the scope of exposure and determine if unauthorized access occurred. The company plans to notify affected individuals once the investigation is complete. This incident highlights ongoing issues with basic cybersecurity practices leading to significant data exposure. Key Points: • Over 1 million sensitive documents were exposed due to a misconfigured cloud storage bucket. • The data leak was discovered by an independent researcher and reported to TechCrunch. • Reqrea has secured the exposed data and is conducting an investigation into the incident.

Detailed Analysis

**Impact** Over 1 million identity documents, including passports, driver’s licenses, and selfie verification photos, were exposed globally through the Tabiq hotel check-in system used by multiple hotels in Japan. The data exposure affects hotel guests from various countries, potentially increasing risks of identity fraud and misuse of biometric data. The incident impacts the hospitality sector and customers relying on digital identity verification processes. The exposure period spans from early 2020 to May 2026. **Technical Details** The data leak resulted from a misconfigured Amazon cloud storage bucket named “tabiq” that was publicly accessible without authentication. No malware or CVEs were involved; the incident stems from a cloud storage misconfiguration, a failure in access control. The exposed bucket contained files dating back several years and was indexed by GrayHatWarfare, a public cloud storage search engine. The kill chain stage corresponds to data exposure due to misconfiguration rather than an active intrusion. **Recommended Response** Immediately verify and restrict access permissions on all cloud storage buckets to ensure they are private by default. Implement continuous monitoring and alerting for public exposure of sensitive storage resources, leveraging tools like GrayHatWarfare for external visibility. Conduct thorough access log reviews to detect unauthorized data access. Notify affected individuals promptly and review internal processes to prevent future misconfigurations.

Source articles (2)

  • Public Amazon bucket leaks sensitive guest data from Japanese hotel platform Tabiq — Securityaffairs.Co · 2026-05-18
    A hotel check-in system exposed over 1 million passports, IDs, and selfies online due to a misconfigured cloud storage bucket. A security lapse in the Reqrea’s Tabiq hotel check-in system exposed over…
  • A hotel check-in system left a million passports and driver’s licenses open for anyone to see — Techcrunch · 2026-05-15
    A hotel check-in system left more than one million customer passports, driver’s licenses, and selfie verification photos to the open web after a security lapse. The data is now offline after TechCrunc…

Timeline

  • 2026-05-15 — TechCrunch reports data exposure: TechCrunch published an article detailing the exposure of over 1 million sensitive documents from Tabiq due to a misconfigured cloud storage bucket.
  • 2026-05-15 — Reqrea secures the storage bucket: After being notified by TechCrunch, Reqrea secured the misconfigured Amazon storage bucket to prevent further access to the exposed data.
  • 2026-05-18 — Security Affairs reports on the incident: Security Affairs published an article summarizing the exposure and its implications for cybersecurity practices.

Related entities

  • Data Breach (Attack Type)
  • Duc App (Company)
  • Hertz (Company)
  • Reqrea (Company)
  • Tabiq (Company)
  • Japan (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed