Nearly a million passports and photo IDs left exposed online

Typing a few letters and numbers into my web browser, I find myself gaping at the identity documents of complete strangers. The passport of a young woman from Germany. The passport of a man from Spain with glasses resting on his head.

The front and back of another man's driver's license, a stereotypically goofy expression on his face. They were all sitting unprotected at public URLs, with no password or access control of any sort. If I sent you a link, you could have looked at someone's passport.

"We have to do something about it as fast as possible, because people will find this and resell it. It will do damage," Sammy Azdoufal told me in an interview. Azdoufal discovered that nearly a million passports and photo IDs were left unprotected on the public internet, easily accessible to anyone.

The issue was caused by a misconfigured cloud storage system, which allowed unauthorized access to sensitive documents. The exposed documents included passports from various countries, as well as driver's licenses and state IDs from the United States. The sensitive information was stored in a cloud storage system used by a company that provides identity verification services.

The company's system stored documents without proper access controls, allowing anyone with an internet connection to view the sensitive information. The exposed data was eventually secured after Azdoufal reported the issue to the company. The exposure of nearly a million passports and photo IDs highlights the growing concern over data security and the importance of proper access controls.

This incident demonstrates how easily sensitive information can be compromised, and the potential damage it can cause. For individuals, this means that their personal documents can be accessed and potentially misused by malicious actors. For businesses, this serves as a reminder to prioritize data security and implement robust access controls to protect sensitive information.

As the use of cloud storage and identity verification services continues to grow, it is crucial that companies take proactive steps to safeguard sensitive data and prevent such incidents from happening in the future. The question remains as to whether this incident will lead to changes in regulations and industry standards for data security and access controls.