Tools / News / A Fake UK Visa Site Left 100,000 Uploaded Passports and Selfies Exposed Online
Press

A Fake UK Visa Site Left 100,000 Uploaded Passports and Selfies Exposed Online

· VaultTools

On May 27, 2026, TechCrunch reported that UK Visa Portal, a site not affiliated with the UK government, left at least 100,000 uploaded passports and identity selfies open in a misconfigured Amazon S3 bucket, with EXIF GPS in selfies exposing applicants' home addresses. Browser-based tools skip the upload entirely.

VaultTools · May 31, 2026

A person holding passports, illustrating the kind of identity document applicants uploaded to UK Visa Portal. Photo by Spencer Davis on Unsplash

Table of Contents


What Happened

On May 27, 2026, TechCrunch reported that a website called UK Visa Portal had left at least 100,000 documents publicly accessible online. The files were passports and identity selfies that applicants had uploaded as part of a visa application. The site is not affiliated with the UK government. It allegedly operates under Active Leadgen LLC, reportedly based in the UAE, and uses the aliases “UK Visit” and “ETA-Pass.” Some applicants said they paid this company by mistake, believing they were using the official GOV.UK service.

An anonymous tipster reported the exposure to TechCrunch. The data was finally secured overnight into Wednesday, hours after the first story was published, after the issue had sat unaddressed for days.

How the Files Were Exposed

The documents sat in an Amazon-hosted storage container (an Amazon S3 bucket). The bucket itself did not list its contents to the public, but a bug on the site’s back end allowed an outside person to enumerate the full list of stored files. Once the file names were visible, any individual passport or selfie could be opened by anyone who had the address. There was no sophisticated intrusion. A browser pointed at the right back end was enough to reveal the catalog.

This is the same failure mode that exposed more than a million passport scans at the Japanese hotel vendor Tabiq weeks earlier. The pattern is consistent: collect a sensitive file, write it to cloud storage, and hope every configuration stays correct forever.

The Hidden Risk Inside a Selfie

The leak was worse than a stack of ID scans. Many of the uploaded selfies still carried their original EXIF metadata, including precise GPS coordinates recording where each photo was taken. In some cases that location data was accurate enough to point to the photographer’s home address. A single selfie, uploaded for identity verification, became a map to the person who took it. Most people never realize their photos carry their location at all.

A Disclosure Met With Lawyers

Instead of fixing the leak when contacted, the operators responded through attorneys at the law firm BakerHostetler and a crisis communications firm, FTI Consulting. The lawyers declined to provide evidence of authorization, and the listed manager did not respond to questions. The bucket was secured only after the story went public, not because the disclosure was welcomed.

Why This Matters

This is the core problem with uploading sensitive files to a website you do not control. Once a passport scan or a selfie leaves your device, its safety depends entirely on a stranger’s server configuration, and a single misconfigured bucket exposes everyone at once. The EXIF detail is the sharper lesson, because location data travels silently inside ordinary photos.

Tools that process files locally remove the upload step entirely. With VaultTools, a passport scan, an image, or a PDF is handled inside your browser, and the bytes never travel to a server. Stripping EXIF metadata, including GPS coordinates, happens on your own device. There is no bucket to misconfigure, no retention policy to audit, and no third party to trust. A server that never receives a file cannot leak it.


Sources