TechCrunch has flagged a public AWS S3 bucket operated by a UAE-registered third-party site, UK Visa Portal (Active Leadgen LLC), that exposed at least 100,000 passport scans and selfies belonging to people who paid extra to apply for UK electronic travel authorizations. The site is not the official GOV.UK service; users could complete the same application directly on GOV.UK in minutes for free. The third party reportedly responded with legal threats instead of remediation. The dataset is now in the wild and creates substantial identity-document compromise risk - passport scans plus selfies enable KYC bypass against banks, exchanges, and government services.
Security researcher @weezerOSINT disclosed on April 20 that Lovable, the Swedish AI code-generation platform that just raised a $330M Series B at a $6.6B valuation, had a Broken Object Level Authorization flaw letting any free account read another user's project source code, hardcoded database credentials, AI chat transcripts, and customer data - using only five API calls. The /projects/{id}/* endpoints verified Firebase authentication but skipped any ownership check. On April 23 Lovable published a formal incident report admitting the exposure window ran February 3 to April 20, a full 76 days, caused by a backend regression that silently undid a fix shipped in 2025. Every Lovable project created before November 2025 was readable. The researcher demonstrated the impact by pulling source code from Connected Women in AI, a Danish nonprofit with over 3,700 edits in 2026 alone, extracting hardcoded Supabase credentials from that code, then querying the live database to retrieve real names, LinkedIn profiles, and Stripe customer IDs belonging to Accenture Denmark and Copenhagen Business School staff. Lovable's initial public response was to deny a breach occurred and blame its documentation and HackerOne triage partner before eventually apologizing.