HN

Need help?
<- Back
One million passports leaked online

One million passports leaked online

jruohonen

Comments (112)

  • throwaway692675
    I'm aware of another batch of leaked passports, from a few years ago.A family member was booking a school tour, when he noticed the URL of the Travel CRM included an id number. Sure enough, the CRM would return all his details given only the (sequential) id number without a need for credentials: high resolution passport scan, and all the other details provided when booking an overseas trip.He notified the CRM company, and that email was ignored. He emailed again, proposing disclosure, and the problem was silently fixed with no response.A few months later he mentioned it to the school, along with the fact that he had followed up and had the vulnerability fixed. The school went straight into panic mode, called him to the principal's office and forced him to write a statement so they could refer him to the Feds. I intervened, explaining that he was the good guy who got the vulnerability fixed, and the problem was the school's, since they had supposedly vetted the CRM for security when choosing a tour company.All of a sudden from the school's point of view there was no problem and no need to mention it to any of the people whose information had been disclosed, despite my insistence. The people still haven't been notified. The school did acknowledge that the family member had done the right thing and verbally thanked him, but would not put anything in writing.The people involved in the tour had their details leaked, but there was nothing special about those people in the system, so realistically every person whose details were in that CRM had their details, including passports, leaked. It was a major travel CRM provider, so the number of people in the system would have been 6 or 7 figures.The kicker is that the family member was employed by a software company that had the school system as a customer. The IT person who was responsible for vetting the travel CRM (and had verbally thanked him) arranged for the school system to phone his employer and deliver an ultimatum: that the family member be sacked or they would risk losing a customer. The family member got the sack.
  • siar
    In EU, eIDAS 2.0 will fix all of these issues and future leaks alltogether.Check authbound.io
  • tartoran
    > Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.Why do these systems hold onto user's data post verification?
  • shmoobadge
    Much as passports are very important for proving identity etc, people who travel have had their passport scanned, photographed or photocopied by pretty much every hotel they've stayed in. I'm not sure the shoebox in the backroom in Koh Samui with the photocopies in constitutes good storage hygiene protocols.How that doesn't turn into rampant identity theft I don't know, or maybe it does? Not, happily, for me... yet.
  • monksy
    Don't forget to send your congress person a reminder about what their vote for age verificiation systems does.Find your rep at congress.gov. Email or mail them this article.
  • cebert
    > PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe.At least we’re keeping the children safe though by verifying ages. It’s worth giving up privacy for that…
  • gertrunde
    The lack of security is one thing, but why have they retained the information at all!iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.
  • dgellow
    Oh god that’s pretty bad> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.I cannot imagine the level of fines under GDPR for leaking that much PII
  • hahahaa
    The cannabis link makes it much worse as you have a bit of information about the person in addition to the passport which is a perfect ID.
  • JSR_FDED
    Well this should keep the transfer stations going for a bit longer.
  • charles_f
    > Zero password protection on document storage systems > > No encryption for sensitive identity verification data > > Public URL access with no authentication requirements > > No access logging or monitoring systems in placePretty much the bingo of secure storage, even CTF demos make it less obvious. Storing a document that they have no business keeping in the first place, with no security whatsoever.
  • adithyaharish
    I am sure even my passport would be part of the breach, are the passport holders beign notified of the breach?
  • croes
    > No hacking was required—documents were accessible through direct URLs with zero authentication or encryption.You would be surprised what some courts already count as hacking
  • spullara
    Remember that there is no such thing as identity theft. There is just fraud. You weren't involved at all.
  • emayljames
    This is the best one. Not a shady company website, or a paywalled site:https://boingboing.net/2026/06/28/a-million-passports-leaked...
  • maipen
    So much of our information is being leaked nowadays that news like these don’t surprise me anymore…I think everyone should understand that if they truly want something private, storing it offline or destroying it completely, are the only safer options.Any sort of convenience to access said data, is a possible surface of attack.
  • vfclists
    Do the laws that mandate identity verification set security standards that the websites which collect and verify the data must meet?
  • joe_mamba
    Damn, we even got passport leaks before GTA 6.
  • dang
    [stub for offtopicness]
  • Daz912
    [dead]
  • raverbashing
    That's good, just grab one of those whenever your need to prove your age online /s