Reqrea, the Japan-based startup behind hotel check-in system Tabiq, left more than 1 million customer passports, driver’s licenses, and selfie verification photos exposed on the open web. No password required: knowing the bucket name, “tabiq,” was enough to view the contents in a browser.
Independent security researcher Anurag Sen discovered the misconfiguration and contacted TechCrunch, which then alerted both Reqrea and Japan’s cybersecurity coordination team, JPCERT. Reqrea locked down the Amazon S3 storage bucket after being notified.
The company’s position is uncomfortable. Amazon added explicit warning prompts to prevent exactly this kind of accidental public exposure after a wave of similar incidents years ago. Reqrea director Masataka Hashimoto told TechCrunch the company doesn’t know how the bucket became public, and it’s still reviewing access logs to determine if anyone other than Sen accessed the data before it was secured. GrayHatWarfare, a database that indexes publicly visible cloud storage, had already captured the bucket listing.
Hashimoto confirmed the company is working with external legal counsel and plans to notify affected guests once the investigation is complete. Files span identity documents from visitors from countries around the world, dating back to early 2020 through this month.
This breach follows similar exposures at money transfer service Duc App and car rental company Hertz, which saw driver’s license data for at least 100,000 customers taken in a hack last year. No notification timeline has been published.
— James Okafor