Reqrea’s Tabiq system exposes one million passports and driver’s licenses in cloud misconfiguration

A security misconfiguration in the Tabiq hotel check-in system has left more than one million customer passports, driver’s licenses, and selfie verification photos publicly accessible on the open web. The data, maintained by Japan-based tech startup Reqrea, was exposed due to an Amazon cloud storage bucket being set to public, allowing unrestricted access without a password.

Independent security researcher Anurag Sen identified the vulnerability after discovering that the storage bucket, named “tabiq,” could be viewed by anyone using a web browser. The exposed files span from early 2020 to May 2026, containing identity documents from visitors to hotels across Japan and other countries. Details of the exposed bucket were also indexed by GrayHatWarfare, a searchable database of publicly visible cloud storage.

The data was secured after TechCrunch alerted both Reqrea and Japan’s cybersecurity coordination team, JPCERT. Reqrea director Masataka Hashimoto acknowledged the exposure in an email, stating the company is conducting a thorough review with external legal counsel and other advisors to determine the full scope of the incident.

Hashimoto noted that Reqrea does not know how the storage bucket became public. By default, Amazon cloud storage buckets are private, and the company added warning prompts to prevent accidental public access following previous incidents. Reqrea is currently reviewing logs to determine if any unauthorised access occurred prior to securing the bucket.

The company plans to notify affected individuals once the investigation is complete. This incident follows other recent exposures of sensitive documents, including data from money transfer service Duc App and car rental service Hertz, highlighting the risks associated with third-party identity verification services.