Public Amazon bucket leaks sensitive guest data from Japanese hotel platform Tabiq
Public Amazon bucket leaks sensitive guest data from Japanese hotel platform Tabiq
Publish Date: 2026-05-18 09:02:16
Source Domain: securityaffairs.com
Summary:
A significant data breach affected the Tabiq hotel check-in system operated by Reqrea, exposing over one million passports, driver’s licenses, and selfie verification photos due to a misconfigured Amazon cloud storage bucket. Cybersecurity researcher Anurag Sen discovered the leak and alerted the relevant parties, leading to the bucket’s immediate lockdown. The exposed information included personal identity documents collected between early 2020 and the present, from hotel guests worldwide. Reqrea is now investigating how the bucket became publicly accessible, despite Amazon S3 buckets generally being private by default. The company is collaborating with external legal counsel to assess the extent of the breach and plans to notify affected users once the investigation is complete. Additionally, Reqrea is reviewing its logs to determine if any unauthorized access occurred before the leak was identified and stopped.
Key Points:
- A misconfigured Amazon S3 bucket exposed over 1 million personal identity documents from the Tabiq hotel check-in system.
- Cybersecurity researcher Anurag Sen discovered the leak and brought it to the attention of TechCrunch, leading to corrective action.
- The exposed data included passports, driver’s licenses, and selfie verifications of guests from multiple countries.
- Reqrea is investigating how the bucket got publicly accessible and plans to notify affected users.
- The company is reviewing its logs to detect any prior unauthorized access to the exposed data.
