Tabiq hotel – A Japan-based hotel check-in system called Tabiq left more than a million passports, driver’s licenses, and selfie verification photos accessible on the open web after a cloud storage misconfiguration. The data was taken offline after notification from a secur
Someone simply had to know a cloud storage bucket name.
A hotel check-in system used in Japan. Tabiq. accidentally exposed more than 1 million customer passports. driver’s licenses. and selfie verification photos to the open web. allowing anyone to view the files without a password.. The problem lasted until the company behind the system locked down the bucket after it was alerted by independent research and follow-up coordination involving Japan’s cybersecurity team.
The system is maintained by Reqrea, a Japan-based tech startup. Tabiq uses facial recognition and document scanning to check guests in, and it is deployed across several hotels in Japan.
Independent security researcher Anurag Sen reached out after discovering the leak earlier this week.. Sen said the exposure happened because Reqrea had set one of its Amazon cloud-hosted storage buckets used by Tabiq to be publicly accessible.. With the bucket set this way. the contents could be viewed by anyone using a web browser after learning the bucket name: “tabiq.”
Sen contacted TechCrunch as part of an effort to get the company to act. Reqrea moved quickly once it was notified, locking down the storage bucket after TechCrunch reached out to both Reqrea and Japan’s cybersecurity coordination team, JPCERT.
In an email acknowledging the exposure, Reqrea director Masataka Hashimoto said the company is working to assess the damage: “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.”
Reqrea said it doesn’t know how the bucket became public. By default, Amazon’s cloud storage buckets are private, and after prior incidents in which customers’ buckets were exposed, Amazon added warning prompts intended to make public exposure harder to do accidentally.
Even with the bucket now taken offline, the company is still working to determine what happened before the fix.. Hashimoto told TechCrunch it plans to notify affected individuals after it completes its investigation.. The company is also reviewing its logs to check whether any authorized access occurred before the bucket was secured.
It remains unclear whether anyone accessed the data beyond Sen before the bucket was locked down. Hashimoto said the review will also clarify whether there was any prior authorized access.
One detail that shows how quickly such exposure can be discovered: GrayHatWarfare. a searchable database that indexes publicly visible cloud storage. captured information about the bucket.. Its listing shows files dating back to early 2020. continuing up to as recently as this month. and included identity documents from visitors around the world.
The Tabiq incident lands in a wider pattern of sensitive document exposure—often not the result of sophisticated hacking. but failures to follow basic security practices such as proper access control and safe cloud configuration.. Sen’s discovery also arrives as governments expand age verification requirements and as more private businesses lean on “know your customer” checks. which frequently involve uploading government-issued identity documents to third parties.
Those identity checks can raise the stakes when data is exposed. Misused documents can translate into identity fraud risk and threats to how someone’s likeness is used, particularly as age-verification rules roll out across more countries.
Reqrea’s lapse also follows several other recent document-related incidents reported by TechCrunch.. Earlier this year. TechCrunch reported that customers of money transfer service Duc App had uploaded driver’s licenses. passports. and other identity documents that were exposed.. Last year. a breach at car rental service Hertz led to hackers obtaining driver’s license information belonging to at least 100. 000 customers.
For now, the immediate consequence is clear: hotel guests’ passports, licenses, and selfie verification photos were exposed to anyone who could find the bucket name—until the company secured it. Reqrea’s next task is determining who was affected and whether any access occurred before the fix.
Tabiq Reqrea hotel check-in system passport exposure driver’s license leak Amazon S3 bucket cloud misconfiguration facial recognition document scanning JPCERT cybersecurity incident identity verification know your customer