Public Amazon S3 bucket leaks 1M+ passports, IDs, and selfies from Japanese hotel check-in platform Tabiq
An Amazon S3 bucket simply named 'tabiq' was left open to anyone who knew the name, exposing over a million passports, driver's licenses, and identity-verification selfies submitted by hotel guests worldwide. The platform, run by Japanese operator Reqrea, handles digital check-in. Researcher Anurag Sen found the bucket and notified TechCrunch and JPCERT; the bucket has since been locked down. Reqrea says the exposed files date from early 2020 through May 2026 and that it does not yet know how the bucket became public. The company is still reviewing access logs to determine whether anyone else accessed the data.
- Check
- Inventory your S3 buckets for public ACLs or 'AllUsers' policies. If your employees used Tabiq or Reqrea-operated check-in for corporate travel, identify travelers since 2020.
- Affected
- Hotel guests who checked in through the Reqrea Tabiq platform between early 2020 and May 2026. Exposed data includes passports, driver's licenses, and biometric selfies.
- Fix
- Enable S3 Block Public Access at the account level. For affected travelers, monitor identity-document fraud alerts and consider passport reissuance for high-risk staff. Watch for phishing referencing real travel history.