Tabiq Hotel Platform Leaks 1 Million Passports and IDs via AWS S3

/HIGH
Written by SCW Research Research & Analysis
SCW threat-inteldata-breachmalwarecloudidentity
Tabiq Hotel Platform Leaks 1 Million Passports and IDs via AWS S3

A critical misconfiguration in the Reqrea’s Tabiq hotel check-in system has exposed over one million sensitive guest documents, including passports, driver’s licenses, and selfie verification photos. According to Security Affairs, the data was left publicly accessible in an Amazon S3 cloud storage bucket. Anyone with knowledge of the bucket name, “tabiq,” could access this data without authentication.

Security Affairs reports that cybersecurity researcher Anurag Sen discovered the exposure, which spanned from early 2020 until recently, affecting hotel guests worldwide. Following notification to Reqrea and Japan’s JPCERT, the bucket was secured. Reqrea states that Amazon S3 buckets are private by default and is investigating how the public exposure occurred, with plans to notify affected users after a full review.

This isn’t just a simple slip-up; it’s a fundamental failure in cloud security posture. Leaving a bucket publicly readable, especially one containing identity documents, is inexcusable. Attackers don’t need sophisticated exploits when basic configuration errors hand them the keys to the kingdom.

What This Means For You

  • If your organization handles any form of personally identifiable information (PII) or identity documents, this incident is a stark reminder to audit your cloud storage configurations immediately. Verify that all S3 buckets, Azure Blobs, or Google Cloud Storage buckets are private by default and enforce strict access controls. Don't assume default settings are sufficient. Implement automated scanning for public buckets and ensure robust developer training on secure cloud practices.

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high data-breach event-type

Monitor Authentication from Breached Vendor — Reqrea

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Written by SCW Research

Take action on this incident
🔍 Threat intel on Reqrea All breaches, IOCs & vendor exposure

Related coverage on Reqrea

GitHub Actions Supply Chain Attack Hijacks Tags to Steal CI/CD Credentials

Threat actors have compromised the popular GitHub Actions workflow, `actions-cool/issues-helper`, to execute malicious code designed to harvest sensitive credentials. The Hacker News reports that this...

threat-intelvulnerabilityidentitytools
/SCW Vulnerability Desk /HIGH /⚑ 4 IOCs /⚙ 3 Sigma

Addi Fintech Breach: 34 Million Accounts Exposed by ShinyHunters

In March 2026, the Colombian fintech Addi reported unauthorized activity on its platform, cautioning customers about potential personal information compromise. The "pay or leak" group...

data-breachidentity
/SCW Research /HIGH /⚙ 3 Sigma

Middle East Cyber Raids Net 200+ Scam Network Arrests

Law enforcement agencies, in a coordinated effort, recently arrested over 200 individuals linked to cyber scam networks operating in the Middle East. The raids uncovered...

threat-inteldata-breachgovernment
/SCW Research /MEDIUM