Fake 'UK Visa Portal' third-party (Active Leadgen LLC) exposed 100,000 passports and selfies on public AWS S3
TechCrunch has flagged a public AWS S3 bucket operated by a UAE-registered third-party site, UK Visa Portal (Active Leadgen LLC), that exposed at least 100,000 passport scans and selfies belonging to people who paid extra to apply for UK electronic travel authorizations. The site is not the official GOV.UK service; users could complete the same application directly on GOV.UK in minutes for free. The third party reportedly responded with legal threats instead of remediation. The dataset is now in the wild and creates substantial identity-document compromise risk - passport scans plus selfies enable KYC bypass against banks, exchanges, and government services.
- Check
- Brief staff that 'UK Visa Portal' and similar third-party visa-help sites are not GOV.UK and may leak documents. Anyone who uploaded a passport to ukvisaportal.com should treat it as compromised.
- Affected
- 100,000+ individuals (and counting) who used Active Leadgen LLC's UK Visa Portal site. Passport scans plus selfies enable KYC bypass against banks, exchanges, and government services.
- Fix
- Affected individuals: report passport as potentially compromised; consider replacement. Banks/exchanges: tighten document-plus-liveness verification against AI-generated impersonations using leaked identity documents.