TL;DR:

  • What happened: Tabiq, a facial recognition hotel check-in platform operated by Japanese startup Reqrea, left over 1 million passport scans, driver’s licenses, and selfie verification photos in a publicly accessible Amazon S3 bucket. No password required. The bucket name was simply “tabiq.” [1][2]
  • How long: Files in the bucket date from early 2020 through May 2026: six years of guest identity documents from hotels across Japan, belonging to travelers from multiple countries worldwide. [1]
  • How it was found: Security researcher Anurag Sen discovered the exposed bucket and alerted TechCrunch. The bucket was also indexed by GrayHatWarfare, a searchable database of publicly visible cloud storage. [1]
  • The company’s response: Reqrea director Masataka Hashimoto says the company doesn’t know how the bucket became public. Amazon S3 buckets are private by default. Someone changed it. [1][2]

What Was Sitting Open on the Internet

The exposed S3 bucket contained three categories of documents from hotel guests worldwide [1][2]:

  • Passport scans: Full pages including passport numbers, dates of birth, nationalities, photos, and home addresses
  • Driver’s licenses: Government-issued IDs with license numbers, addresses, and photos
  • Selfie verification photos: The facial recognition images guests took during check-in, matched against their ID documents

Over a million documents. From travelers who checked into hotels across Japan. Sitting in a storage bucket named “tabiq” that anyone with a web browser could access.

The files spanned from early 2020 to May 2026. That’s six years of international travelers (business trips, vacations, conferences) whose most sensitive identity documents were one URL away from anyone who looked.

How Facial Recognition Check-In Works (and Why It’s Spreading)

Tabiq’s pitch is simple: skip the front desk. Guests scan their passport or ID, take a selfie, and the system uses facial recognition to verify their identity. No human interaction. Faster check-in. Hotels save on staff costs.

It’s not just a Japan problem. Facial recognition check-in is spreading globally. Major hotel chains are testing or deploying similar systems. The promise is convenience. The trade-off is handing your passport scan, your face, and your government ID to a startup and trusting them to keep it safe.

Reqrea is a small Japanese startup. They stored the biometric identity documents of a million international travelers. And they stored them in a bucket called “tabiq” with no authentication.

“We Don’t Know How It Happened”: But Amazon Does

Amazon S3 buckets are private by default. They’ve been private by default since 2017, when AWS added multiple warnings and safeguards after a wave of S3 breaches exposed voter records, military intelligence files, and corporate data.

To make an S3 bucket public in 2026, you have to actively override the default. AWS shows warning banners. The bucket’s public status is flagged in orange in the console. There are account-level settings to block all public access. You have to fight through layers of protection to expose data publicly.

Reqrea director Masataka Hashimoto told TechCrunch the company is “conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.” He said the company is uncertain “how the storage bucket became public.” [1]

Here’s how: someone turned off the protections. That’s the only way. Whether it was intentional, negligent, or a configuration error during setup six years ago, somebody made an active choice to make a bucket full of passports public.

Found by a Researcher. Indexed by a Search Engine.

Security researcher Anurag Sen discovered the exposed bucket and contacted TechCrunch. TechCrunch then notified both Reqrea and JPCERT, Japan’s national cybersecurity coordination team. Reqrea locked down the bucket after being contacted. [1]

But here’s the part that should worry anyone who stayed at a Tabiq-equipped hotel: the bucket was indexed by GrayHatWarfare, a publicly searchable database of exposed cloud storage buckets. That means it wasn’t just theoretically accessible: it was cataloged and discoverable. [1]

Reqrea says it’s reviewing access logs to determine whether unauthorized parties accessed the data before it was locked down. But S3 access logging is optional and has to be enabled separately. If Reqrea didn’t know the bucket was public, there’s a reasonable chance they didn’t enable access logging either.

The Hotel Industry’s Biometric Problem

Tabiq isn’t unique. It’s part of a growing trend of hotels outsourcing identity verification to tech platforms that handle biometric data (passport scans, facial recognition, fingerprints) without the security infrastructure of a bank or government agency.

There are no international standards for how hotel check-in systems should store biometric data. No required encryption standards for passport scans. No mandatory security audits. No breach notification requirements specific to hospitality biometrics in most jurisdictions.

Japan’s Act on the Protection of Personal Information (APPI) has been strengthened in recent years, but enforcement against small startups handling foreign travelers’ data remains unclear. JPCERT coordinates incident response but doesn’t regulate data storage practices.

The result: your passport scan is only as secure as the least competent startup your hotel chose to handle check-in.

What to Do If You’ve Stayed at a Hotel Using Facial Recognition Check-In

  • Check your records. If you’ve stayed at a hotel in Japan that used self-service facial recognition check-in, your documents may have been in this bucket. Keep records of which hotels you stayed at and when.
  • Monitor your identity. Exposed passport numbers and dates of birth are the building blocks of identity theft. Set up monitoring with your country’s relevant credit bureau. Consider a credit freeze if you’re concerned.
  • Ask before you scan. Next time a hotel asks you to scan your passport into a kiosk, ask who handles the data and how it’s stored. If the desk clerk doesn’t know, that’s your answer.
  • Request deletion. Under Japan’s APPI, GDPR (if you’re an EU citizen), or your local privacy law, you may have the right to request deletion of your biometric data after checkout. Exercise it.
  • Prefer traditional check-in. A human at a front desk who glances at your passport and hands it back is, ironically, more secure than a system that scans, stores, and uploads it to cloud storage.

The Bottom Line

A startup called Reqrea built a facial recognition hotel check-in system. It collected passport scans, driver’s licenses, and biometric selfies from over a million international travelers across six years. It stored all of it in an Amazon bucket called “tabiq” with no password.

The company says it doesn’t know how the data became public. Amazon says buckets are private by default. Someone made a choice. A million travelers paid the price.

Next time a hotel kiosk asks you to scan your passport, remember: you’re trusting a company you’ve never heard of to protect your most sensitive identity document. Tabiq proves what happens when that trust is misplaced.

Related: They Asked for Your Passport. Then Left It on a Public Server. | Eurail Breach Hits 308,000 Travelers

Sources

  1. TechCrunch: A hotel check-in system left a million passports and driver’s licenses open for anyone to see (May 15, 2026)
  2. Security Affairs: Public Amazon bucket leaks sensitive guest data from Japanese hotel platform Tabiq (May 2026)