1 Million Passport Scans Sat in a Public Cloud Bucket. Browser-Based Processing Avoids This Failure Mode.
On May 15, 2026, TechCrunch reported that Japanese hotel check-in vendor Tabiq exposed more than 1 million passport scans, driver's licenses, and selfie verification photos via a publicly accessible Amazon S3 bucket. The lesson for file tools is structural.
VaultTools · May 23, 2026
Table of Contents
- What happened
- How the bucket leaked
- Why cloud file services keep failing this way
- The structural alternative
- What to take from this
- Sources
What Happened
On May 15, 2026, TechCrunch reported that Tabiq, a hotel check-in system used by hotels across Japan, had left more than 1 million customer documents exposed on the open internet. The exposed files included passport scans, driver’s licenses, and selfie verification photos. The records spanned from early 2020 through May 2026.
Tabiq is operated by the Japanese tech startup Reqrea. Its product asks hotel guests to upload identity documents at check-in and uses facial recognition to match them against a selfie. The data was stored in an Amazon S3 bucket named “tabiq” that had been configured for public access, viewable by anyone who knew the bucket name. The bucket was also indexed by GrayHatWarfare, a public search engine for exposed cloud storage.
Independent security researcher Anurag Sen discovered the exposure and reported it. Reqrea locked down the bucket after TechCrunch contacted the company and Japan’s cybersecurity coordination team JPCERT. Director Masataka Hashimoto said the company is “conducting a thorough review with the support of external legal counsel” and plans to notify affected individuals. Reqrea added that it does not yet know how the bucket became public.
How the Bucket Leaked
The mechanism is the most common cause of cloud data exposure: a storage container with no authentication requirement, sitting on a guessable name. There was no zero-day. There was no attacker tool chain. A web browser pointed at the right URL was sufficient. Independent indexers like GrayHatWarfare scan for this pattern continuously, which means once a bucket is misconfigured, the time between “discoverable” and “discovered” collapses to near zero.
Reqrea has not published a timeline for when the bucket was first opened to the public, and the company stated it is still reviewing logs to determine whether anyone besides the researcher accessed the data.
Why Cloud File Services Keep Failing This Way
Every cloud file service inherits the same threat model. A document is collected from the user, transmitted to a server, written to storage, and held for some duration. Each step depends on configuration that humans set and maintain. The Tabiq incident is the latest entry in a long pattern: in 2026 alone, public reporting has documented misconfigured object storage exposing French identity portals, hotel platforms, and healthcare records.
The Privacy Guides weekly breach roundup for May 15 to 21 listed Tabiq alongside a separate exposure of 1.8 million medical records and biometric data at NYC Health + Hospitals. The common element is not the attacker. It is the architecture. When a service holds your file, your privacy depends on that service’s worst configuration day.
The Structural Alternative
A browser-based file tool processes the document inside the browser tab. The bytes never reach a server. There is no bucket to misconfigure, no retention policy to audit, no terms of service to interpret, and no indexer that can find the file later. Modern WebAssembly runtimes execute Rust, C, and C++ code at near-native speed, which is enough to handle PDF merging, image compression, EXIF stripping, metadata edits, and document conversion entirely on device.
This is what privacy researchers have started calling structural privacy. It is not a promise written in a policy. It is a property of the architecture. A server that does not receive a file cannot expose it.
What to Take From This
If your workflow involves uploading a passport, a contract, a medical scan, a tax form, or any document you would not want indexed by a public scanner, the relevant question is not “does this vendor have good security.” The relevant question is “does this vendor need to receive my file at all.” For routine operations like compression, conversion, metadata removal, and format change, the answer is increasingly no.
The Tabiq leak will be patched, the affected users will be notified, and the news cycle will move on. The architecture that produced it will not change. Choosing tools that do not collect the file in the first place is the only durable response.
Sources
- A hotel check-in system left a million passports and driver’s licenses open for anyone to see (TechCrunch, May 15, 2026)
- Public Amazon bucket leaks sensitive guest data from Japanese hotel platform Tabiq (Security Affairs)
- Data Breach Roundup (May 15 to 21, 2026) (Privacy Guides)
- Reqrea: Millions of hotel guests’ IDs left open online (Rankiteo)
- A hotel check-in system left a million passports and driver’s licenses open (MalwareTips forum repost)