A Fake UK Visa Site Left 100,000 Uploaded Passports and Selfies Exposed Online
On May 27, 2026, TechCrunch reported that UK Visa Portal, a site not affiliated with the UK government, left at least 100,000 uploaded passports and identity selfies open in a misconfigured Amazon S3 bucket, with EXIF GPS in selfies exposing applicants' home addresses. Browser-based tools skip the upload entirely.
VaultTools · May 31, 2026
Photo by Spencer Davis on Unsplash
Table of Contents
- What happened
- How the files were exposed
- The hidden risk inside a selfie
- A disclosure met with lawyers
- Why this matters
- Sources
What Happened
On May 27, 2026, TechCrunch reported that a website called UK Visa Portal had left at least 100,000 documents publicly accessible online. The files were passports and identity selfies that applicants had uploaded as part of a visa application. The site is not affiliated with the UK government. It allegedly operates under Active Leadgen LLC, reportedly based in the UAE, and uses the aliases “UK Visit” and “ETA-Pass.” Some applicants said they paid this company by mistake, believing they were using the official GOV.UK service.
An anonymous tipster reported the exposure to TechCrunch. The data was finally secured overnight into Wednesday, hours after the first story was published, after the issue had sat unaddressed for days.
How the Files Were Exposed
The documents sat in an Amazon-hosted storage container (an Amazon S3 bucket). The bucket itself did not list its contents to the public, but a bug on the site’s back end allowed an outside person to enumerate the full list of stored files. Once the file names were visible, any individual passport or selfie could be opened by anyone who had the address. There was no sophisticated intrusion. A browser pointed at the right back end was enough to reveal the catalog.
This is the same failure mode that exposed more than a million passport scans at the Japanese hotel vendor Tabiq weeks earlier. The pattern is consistent: collect a sensitive file, write it to cloud storage, and hope every configuration stays correct forever.
The Hidden Risk Inside a Selfie
The leak was worse than a stack of ID scans. Many of the uploaded selfies still carried their original EXIF metadata, including precise GPS coordinates recording where each photo was taken. In some cases that location data was accurate enough to point to the photographer’s home address. A single selfie, uploaded for identity verification, became a map to the person who took it. Most people never realize their photos carry their location at all.
A Disclosure Met With Lawyers
Instead of fixing the leak when contacted, the operators responded through attorneys at the law firm BakerHostetler and a crisis communications firm, FTI Consulting. The lawyers declined to provide evidence of authorization, and the listed manager did not respond to questions. The bucket was secured only after the story went public, not because the disclosure was welcomed.
Why This Matters
This is the core problem with uploading sensitive files to a website you do not control. Once a passport scan or a selfie leaves your device, its safety depends entirely on a stranger’s server configuration, and a single misconfigured bucket exposes everyone at once. The EXIF detail is the sharper lesson, because location data travels silently inside ordinary photos.
Tools that process files locally remove the upload step entirely. With VaultTools, a passport scan, an image, or a PDF is handled inside your browser, and the bytes never travel to a server. Stripping EXIF metadata, including GPS coordinates, happens on your own device. There is no bucket to misconfigure, no retention policy to audit, and no third party to trust. A server that never receives a file cannot leak it.
Sources
- UK Visa Portal spilled thousands of applicants’ passports and selfies online, and hasn’t fixed the leak (TechCrunch, May 27, 2026)
- Third-party UK visa service leaked passports and selfies of 100,000 applicants (Cybernews)
- UK Visa Portal website leaks thousands of user passport data and photos online (TechRadar)
- Security lapse exposes 100,000 UK visa applicants’ passports and selfies (VisaHQ)
- Data Breach Roundup, May 22 to 28, 2026 (Privacy Guides)