A massive data breach at a third-party identity verification provider has exposed over one million passport scans and associated personal information online. The compromised data includes full passport images, selfie photos, government-issued ID documents, and personally identifiable information (PII) from users across multiple platforms that relied on the vendor’s services. The breach highlights critical security failures in third-party KYC (Know Your Customer) systems and poses severe identity theft risks to affected individuals globally.
Introduction
On [date], security researchers discovered an unsecured database containing approximately 1.2 million passport scans, driver’s licenses, and identity verification documents exposed on the public internet. The data originated from a widely-used third-party identity verification service that processes KYC checks for cryptocurrency exchanges, fintech platforms, online gambling sites, and financial service providers.
The exposed database remained accessible without authentication for an estimated 18-23 days before being secured, providing ample opportunity for malicious actors to harvest sensitive identity documents. This incident represents one of the largest exposures of passport data in recent years and underscores the systemic risks inherent in centralized identity verification ecosystems.
The breach affects users from over 100 countries who submitted identity documents to various platforms between 2019 and 2024. Given the permanent nature of passport information and the difficulty in changing government-issued identification numbers, affected individuals face long-term fraud risks.
Background & Context
Third-party identity verification services have become integral to the digital economy, processing millions of KYC submissions daily for platforms that lack in-house verification capabilities. These services use optical character recognition (OCR), facial recognition, and document authentication technologies to verify user identities during account creation or transaction authorization.
The compromised vendor, which serves over 500 client platforms globally, positions itself as a compliance solution for regulated industries. The company’s service processes identity documents, extracts data fields, performs liveness detection on selfie submissions, and returns verification results to client platforms via API integrations.
This breach follows a concerning pattern of security failures at identity verification providers. Similar incidents in 2021 and 2022 exposed hundreds of thousands of identity documents when vendors failed to implement basic security controls on cloud storage systems. Unlike payment card data that can be quickly replaced, passport numbers and biometric facial data remain static for years, making these breaches particularly consequential.
The regulatory landscape for third-party KYC providers varies dramatically across jurisdictions, with many countries lacking specific requirements for securing stored identity verification data after the initial check is completed.
Technical Breakdown
The breach originated from a misconfigured Amazon S3 bucket that stored processed identity verification submissions. Security researcher Bob Diachenko discovered the exposed database while scanning for publicly accessible cloud storage instances.
Exposure Vector:
The S3 bucket was configured with public read permissions, allowing anyone with the bucket URL to list and download contents without authentication. Analysis suggests this resulted from either deliberate misconfiguration during testing that was never corrected or overly permissive IAM policies applied during deployment.
# Example of misconfigured bucket policy allowing public access
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::verification-docs/*"
}
]
}Compromised Data Structure:
The database contained JSON metadata files linked to image files stored in nested directories organized by submission date and client platform identifier. Each submission package included:
- High-resolution passport bio-page scans (front and back where applicable)
- Driver’s licenses and national ID cards
- Selfie photographs taken during verification
- OCR-extracted text data (full names, dates of birth, passport numbers, nationalities)
- Facial recognition confidence scores
- IP addresses and device fingerprints from submission sessions
- Client platform identifiers revealing which services users registered for
Technical Failures:
Multiple security control failures enabled this exposure:
- Missing Encryption: Files were stored unencrypted at rest despite containing sensitive PII
- No Access Logging: S3 server access logging was disabled, preventing detection of unauthorized access
- Absent Monitoring: No CloudWatch alarms configured for unusual data access patterns
- Excessive Retention: Documents from 2019 remained stored despite no business justification
- Lack of Segmentation: All client data stored in a single bucket rather than isolated environments
Impact & Risk Assessment
Immediate Risks:
Exposed individuals face elevated risks of identity theft, passport fraud, and synthetic identity creation. Criminals can use authentic passport scans to create forged documents, open fraudulent financial accounts, or bypass identity verification systems at other platforms.
The inclusion of selfie photographs enables sophisticated attackers to create deepfake videos for identity verification systems that employ liveness detection. Combined with extracted personal data, threat actors possess complete identity theft kits for affected individuals.
Scale of Impact:
Based on the database contents, approximately 1.2 million unique individuals are affected across 100+ countries. The geographic distribution includes:
- North America: ~280,000 records
- European Union: ~340,000 records
- Asia-Pacific: ~420,000 records
- Latin America: ~95,000 records
- Middle East/Africa: ~65,000 records
Long-Term Consequences:
Unlike password breaches where credentials can be reset, passport numbers typically remain unchanged for 10 years. Affected individuals will face persistent fraud risks throughout this period. The biometric facial data exposure creates permanent vulnerabilities as facial features change minimally over time.
Downstream Platform Risk:
Client platforms that integrated this verification service face regulatory scrutiny, potential GDPR fines reaching 4% of annual revenue, class-action lawsuits, and reputational damage. Platforms must now re-verify user identities and implement enhanced fraud monitoring for affected accounts.
Vendor Response
The identity verification provider issued a statement acknowledging the exposure approximately 72 hours after being notified by security researchers. The company claimed the misconfiguration occurred during a “routine infrastructure update” and affected a “limited subset” of verification submissions.
Initial public communications significantly understated the breach scope, citing “approximately 300,000 records” before later revising to confirm over 1 million affected submissions. This discrepancy raised concerns about the company’s internal data inventory capabilities.
Remediation Actions Taken:
- S3 bucket permissions corrected within 4 hours of notification
- Forensic investigation initiated with third-party incident response firm
- Data retention policies revised to delete verification documents within 30 days
- Client platforms notified within 48 hours
- Regulatory notifications filed with data protection authorities in EU, UK, and California
The vendor has not provided evidence regarding whether unauthorized parties accessed the exposed data during the exposure window. Server access logs were not enabled, making definitive attribution impossible.
Regulatory Consequences:
GDPR regulators in Ireland and Germany have opened formal investigations. The breach constitutes violations of data minimization principles (Article 5), security requirement failures (Article 32), and potentially unlawful processing of special category biometric data (Article 9).
Mitigations & Workarounds
For Affected Individuals:
Unfortunately, limited direct mitigation options exist since passport numbers cannot be easily changed. Recommended actions include:
- Fraud Monitoring: Enroll in identity theft monitoring services and enable credit freezes with major bureaus
- Travel Document Replacement: Contact passport-issuing authorities about expedited replacement, though many countries require valid reasons beyond data breaches
- Enhanced Verification: Register passport numbers with government alert systems where available
- Platform Monitoring: Review accounts on platforms where verification was completed for unauthorized access
- Fraud Alerts: Place fraud alerts with financial institutions and credit agencies
For Client Platforms:
Organizations that integrated the compromised verification service should:
# Implement enhanced monitoring for affected accounts
# Example: Flag high-risk activities for manual review
if user.passport_number in compromised_dataset:
apply_enhanced_monitoring(user.id)
require_step_up_authentication()
flag_for_manual_review(withdrawal_requests)
- Re-verify identities for high-value accounts
- Implement behavioral analytics to detect account takeover attempts
- Enhance transaction monitoring thresholds for affected users
- Consider rotating internal user identifiers linked to compromised records
Detection & Monitoring
Organizations using third-party verification services should implement continuous security validation:
Cloud Storage Auditing:
# AWS CLI command to check S3 bucket public access
aws s3api get-bucket-acl --bucket verification-docs
# Check for public bucket policies
aws s3api get-bucket-policy-status --bucket verification-docs
Vendor Security Assessment:
Implement quarterly security reviews of third-party providers including:
- SOC 2 Type II audit verification
- Penetration test report review
- Data handling and retention policy validation
- Incident response capability assessment
- Business continuity and disaster recovery testing
Detection Indicators:
Monitor for signs of compromised identity data usage:
- Multiple account creation attempts with same passport number
- Geographic impossibilities (account access from locations incompatible with recent verification submissions)
- Sudden spike in high-risk transactions from previously verified accounts
- Identity verification failures followed by successful authentication
Best Practices
For Organizations Handling Identity Data:
- Data Minimization: Delete verification documents immediately after successful validation rather than indefinite retention
- Encryption Everywhere: Implement encryption at rest and in transit for all PII storage
- Access Controls: Enforce least-privilege access with multi-factor authentication for systems containing identity documents
- Segmentation: Isolate client data in separate storage environments with dedicated access controls
- Vendor Due Diligence: Conduct thorough security assessments before engaging third-party verification providers
Security Architecture Recommendations:
# Example secure storage configuration
storage:
encryption_at_rest: AES-256
encryption_in_transit: TLS 1.3
access_policy: private
logging:
server_access: enabled
object_access: enabled
lifecycle:
expiration_days: 30
backup:
encryption: enabled
region_replication: cross-regionVendor Management:
- Require contractual data security obligations with specific technical controls
- Implement continuous monitoring of third-party security postures
- Establish clear data ownership and deletion requirements
- Define incident notification timelines (24-48 hours maximum)
- Require regular third-party penetration testing and vulnerability assessments
Key Takeaways
- Over 1.2 million passport scans and identity documents were exposed due to misconfigured cloud storage at a third-party verification provider
- The breach resulted from multiple security control failures including absent encryption, missing access controls, and excessive data retention
- Affected individuals face long-term identity theft risks due to the permanent nature of passport numbers and biometric data
- Organizations relying on third-party KYC services must implement robust vendor security assessments and continuous monitoring
- Data minimization and immediate deletion after verification completion would have prevented this exposure
- The incident highlights systemic risks in centralized identity verification ecosystems and the need for stronger regulatory requirements
This breach serves as a critical reminder that third-party integrations expand an organization’s attack surface significantly. When vendors handle sensitive identity data on behalf of multiple platforms, single security failures create cascading risks across entire ecosystems. Organizations must treat vendor security as an extension of their own security programs with equivalent rigor and oversight.
References
- AWS S3 Security Best Practices – https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
- GDPR Article 32: Security of Processing – https://gdpr-info.eu/art-32-gdpr/
- NIST Special Publication 800-63-3: Digital Identity Guidelines – https://pages.nist.gov/800-63-3/
- OWASP Cloud Security Project – https://owasp.org/www-project-cloud-security/
- European Data Protection Board Guidelines on Data Breach Notification – https://edpb.europa.eu/
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/