Hotel Check-In System Exposed 1 Million Passports, Driver's Licenses Worldwide

A hotel check-in system called Tabiq, maintained by Japan-based startup Reqrea, left more than 1 million customer passports, driver's licenses, and selfie verification photos exposed on the open web. Anyone with a web browser could access them.

Security researcher Anurag Sen discovered the breach and alerted TechCrunch. Reqrea had set one of its Amazon cloud-hosted storage buckets to public. The bucket stored all guest data and could be viewed without a password if someone knew its name: tabiq.

The system, used across several Japanese hotels, relies on facial recognition and document scanning for guest check-ins. Facial photos and ID copies were accessible to anyone.

Reqrea locked down the storage bucket after TechCrunch contacted the company and Japan's cybersecurity coordination team (JPCERT). The data had been exposed since early 2020—six years of potential unauthorized access.

Reqrea director Masataka Hashimoto told TechCrunch the company is "conducting a thorough review" to determine the full scope of the exposure. "It remains unclear whether anyone other than Sen accessed the exposed data," but the company is reviewing logs to check for unauthorized access.

Amazon's cloud storage buckets are private by default, and Amazon added warning prompts years ago to prevent this kind of slip-up. Reqrea exposed the bucket anyway—a failure of basic security procedures.

The exposed bucket was also indexed by GrayHatWarfare, a searchable database for publicly visible cloud storage, making it easy for bad actors to find. Hashimoto says Reqrea plans to notify affected individuals once its investigation concludes.

If you've checked into a Japanese hotel recently, monitor your identity closely.