U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Public Amazon bucket leaks sensitive guest data from Japanese hotel platform Tabiq

A hotel check-in system exposed over 1 million passports, IDs, and selfies online due to a misconfigured cloud storage bucket. A security lapse in the Reqrea’s Tabiq hotel check-in system exposed over 1 million passports, driver’s licenses, and selfie verification photos online. The issue came from a misconfigured Amazon cloud storage bucket that was left […]

UK Visa Site data leak

A hotel check-in system exposed over 1 million passports, IDs, and selfies online due to a misconfigured cloud storage bucket.

A security lapse in the Reqrea’s Tabiq hotel check-in system exposed over 1 million passports, driver’s licenses, and selfie verification photos online. The issue came from a misconfigured Amazon cloud storage bucket that was left publicly accessible. As a result, anyone with a web browser and knowledge of the bucket name “tabiq” could view passports, IDs, and other customer data without authentication.

Cyber security researcher Anurag Sen alerted TechCrunch after finding that a hotel check-in system was exposing sensitive guest documents worldwide. Sen reported the issue to help prompt action. Following TechCrunch’s notification to the company and Japan’s cybersecurity coordination team JPCERT, the system was secured and the exposed bucket was locked down.

“We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.” Reqrea director Masataka Hashimoto told TechCrunch.

According to TechCrunch, the exposed bucket contained files from early 2020 through this month, including identity documents of hotel guests from multiple countries worldwide.

Reqrea said it does not know how the storage bucket was made public, noting that Amazon S3 buckets are private by default and now include extra warnings to prevent accidental exposure. The investigation is still ongoing and the company plans to notify affected users after completing it.

It is still unclear whether anyone besides researcher Anurag Sen accessed the data before it was secured. Reqrea is reviewing logs to check for any prior unauthorized access.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)