Pierluigi Paganini
May 18, 2026
A security lapse in the Reqrea’s Tabiq hotel check-in system exposed over 1 million passports, driver’s licenses, and selfie verification photos online. The issue came from a misconfigured Amazon cloud storage bucket that was left publicly accessible. As a result, anyone with a web browser and knowledge of the bucket name “tabiq” could view passports, IDs, and other customer data without authentication.
Cyber security researcher Anurag Sen alerted TechCrunch after finding that a hotel check-in system was exposing sensitive guest documents worldwide. Sen reported the issue to help prompt action. Following TechCrunch’s notification to the company and Japan’s cybersecurity coordination team JPCERT, the system was secured and the exposed bucket was locked down.
“We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.” Reqrea director Masataka Hashimoto told TechCrunch.
According to TechCrunch, the exposed bucket contained files from early 2020 through this month, including identity documents of hotel guests from multiple countries worldwide.
Reqrea said it does not know how the storage bucket was made public, noting that Amazon S3 buckets are private by default and now include extra warnings to prevent accidental exposure. The investigation is still ongoing and the company plans to notify affected users after completing it.
It is still unclear whether anyone besides researcher Anurag Sen accessed the data before it was secured. Reqrea is reviewing logs to check for any prior unauthorized access.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data leak)
