Over One Million Hotel Guest ID Photos Left Publicly Accessible in Cloud Storage

More than one million customer passports, driver’s licenses, and selfie verification photos from a hotel check-in system called Tabiq were left publicly accessible on the open web. The Japan-based tech startup Reqrea, which maintains Tabiq, had set one of its Amazon cloud-hosted storage buckets to be publicly accessible.

The exposure occurred because the bucket named “tabiq” allowed anyone using a web browser to view the data without needing a password by knowing only the bucket name.

Independent security researcher Anurag Sen discovered that the Tabiq system was leaking sensitive documents of hotel guests from around the world. Sen contacted TechCrunch earlier this week. TechCrunch alerted the company responsible for the exposure and also reached out to Japan’s cybersecurity coordination team, JPCERT.

Reqrea locked down the storage bucket after those notifications. The data exposure has been taken offline. Details of the exposed bucket were captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage.

The bucket listing contains files dating back to early 2020 up to as recently as May 2026. Tabiq is used in several hotels across Japan. According to its website, the system relies on facial recognition and document scanning to check guests in.

Reqrea said it does not know how the storage bucket became public. Amazon’s cloud storage buckets are private by default. Hashimoto told TechCrunch that the company plans to notify affected individuals once it has completed its investigation.

Hashimoto said the company is reviewing its logs to determine if there had been any unauthorized access prior to securing the bucket. It remains unclear whether anyone other than Sen accessed the exposed data before it was secured. TechCrunch reported that this latest lapse follows other incidents involving sensitive government-issued documents.

Earlier this year, TechCrunch reported on the exposure of driver’s licenses, passports, and other identity documents uploaded by customers of money transfer service Duc App. A data breach at car rental service Hertz last year saw hackers make off with driver’s license information belonging to at least 100,000 customers.

These incidents come at a time when governments are increasingly rolling out age verification laws and private businesses are using “know your customer” checks to verify a person’s identity.

Both rely on adults uploading sensitive documents, often to a third-party company, for verification. Data lapses can put people whose information was taken at greater risk of identity fraud or having their likeness misused as age verification requirements take hold around the world.