Nearly a million passports and photo IDs were left unprotected on the public internet — where the chain broke
Data breaches are usually framed around an attacker. The case reported by The Verge draws a different line: there is no attacker, only a cloud storage bucket left open.
According to the report, around 950,000 passports, driving licences and photo IDs collected by user verification platforms Nefos and PuffPal were found in an Amazon S3 bucket accessible on the internet without a password.
Both companies hold customer documents for regulated sectors — one for age verification at cannabis clubs, the other for online tobacco sales — under different national rules but using the same external bucket as their storage infrastructure.
Security researcher Jeremiah Fowler found the bucket while scanning and reported it to The Verge. Fowler said the bucket was configured with public-read permission, meaning anyone on the internet could list and download the documents directly.
The most sensitive files are full-resolution passport scans. Such images are worth far more in the identity-theft market than a single payment card. Under adult age verification, some users had also completed a selfie-plus-document match; both were readable on the open internet at once.
Both companies, contacted by The Verge, closed the bucket after publication. How long it had been open and how many downloads occurred is not yet known. Both companies acknowledged the error in comments to the publication.
Legal consequences can be heavy. The EU's GDPR allows fines of up to 4% of turnover for breaches caused by configuration error, regardless of intent. At US state level, California's CCPA sets a floor of $100 in statutory damages per user.
Incidents of this kind are not isolated. Security firms say the number of identity-document leaks caused by S3 configuration errors has grown by an annual 18% over the past three years. Ambiguity in default cloud storage settings is the most common causal factor.
The case also exposes the audit-chain problem of small third-party verification services. When a bar or online dispensary asks for ID, the firm that ends up storing it can change without the user knowing; the regulatory framework does not yet cover that architecture.
Vesper covers tech and security news for information only. If you believe you have been affected by a personal data breach, contact the relevant national data protection authority.
Read next
How Wing's drone delivery moved from novelty to routine
Alphabet's drone delivery unit Wing has shifted, over the past year, from a TV story to a logistics watchlist entry. Operational figures reported by TechCrunch show drone delivery is no longer a novelty but a settled flow.
No one needs AI to search the internet, court rules against Google
A US federal court has made a notable finding in the multi-strand antitrust case against Google: AI is not an unavoidable feature of a search service. The ruling, summarised by Ars Technica, directly undercuts Google's AI Overviews defence.
North Koreans behind nearly half of US tech industry hacks, CrowdStrike report says
A new CrowdStrike report says 46% of targeted cyber attacks on the US tech industry in the past year came from North Korea-linked actors. According to TechCrunch, the operations are not only data theft but infiltration via fake job applications.
What is DiffusionGemma? Google DeepMind's open model that runs local AI 4x faster
Google DeepMind has released DiffusionGemma, bringing the diffusion architecture into its open Gemma series. According to Ars Technica, the model runs roughly four times faster on a local device than a conventional transformer of similar size, reopening the laptop-and-phone performance question.
NASA names the Artemis III crew and sets an aggressive flight timeline
According to Ars Technica, NASA has formally named the crew for Artemis III, the first crewed lunar surface mission since Apollo, and set an aggressive launch timeline. Several critical mission architecture components are still in testing.
