PUBLIC Amazon bucket leaks sensitive guest data from Japanese hotel platform Tabiq describes a misconfigured Amazon S3 bucket that left Reqrea’s TabIq hotel check‑in system publicly accessible, exposing passports, driver’s licenses and selfie verification photos. The exposed data, from early 2020 through this month, could be viewed by anyone with a browser and knowledge of the bucket name “tabiq” without authentication.
A security researcher, Anurag Sen, alerted TechCrunch, prompting action, and the system was secured and the exposed bucket locked down after the notification to the company and Japan’s cybersecurity coordination team JPCERT. Reqrea said it is conducting a thorough review with external legal counsel to determine the full scope of exposure, and noted that Amazon S3 buckets are private by default with extra warnings to prevent accidental exposure.
According to TechCrunch, it remains unclear whether anyone besides the researcher accessed the data before it was secured, and Reqrea plans to notify affected users after the investigation.