Public cloud leak exposed millions of hotel guest passports in Japan

A routine hotel check-in in Japan turned into a mass exposure of identity documents, with more than one million passports, driver’s licenses and selfie verification photos left visible on the open web. The leak ran through Tabiq, a hotel check-in system maintained by Japan-based startup Reqrea and used in several hotels across Japan.

Independent security researcher Anurag Sen found the exposure after a cloud storage bucket tied to the system was left public. Anyone who knew the bucket name, “tabiq,” could open it in a browser without a password and view file listings that stretched back to early 2020 and continued through this month. The exposed material included check-in records and document images that travelers submit to prove who they are, the kind of data that can be used for identity theft long after a stay is over.

Reqrea locked down the storage bucket after the issue was raised to the company and Japan’s cybersecurity coordination center, JPCERT. Masataka Hashimoto, a Reqrea director, said the company is conducting a thorough review with external legal counsel and other advisors to determine the full scope of exposure. He said Reqrea does not know how the storage bucket became public and plans to notify affected individuals after its investigation.

The incident points to a basic cloud mistake rather than a sophisticated breach. Amazon’s cloud storage buckets are private by default, and Amazon has added warning prompts in recent years before customers make data public. That makes the exposure harder to explain and easier to trace to misconfiguration, not advanced intrusion. It also means the vulnerable files were sitting in plain sight because a permission setting was wrong.

It remains unclear whether anyone other than Sen viewed the data before it was secured. Details of the bucket were also captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage, widening the chance that the files could have been found by others. For travelers who trusted a front desk and a digital check-in form, the consequence is stark: copies of highly sensitive identity documents were left exposed by a vendor responsible for handling them, and the cleanup now falls on the startup, its cloud setup and the hotels that relied on it.