Nearly a million passports and photo identification documents were left unprotected on the public internet, accessible to anyone with a direct link. The identity documents—including passports from Germany, Spain, and driver's licenses from multiple countries—sat at public URLs with no password protection or access controls.
A security researcher discovered the trove of sensitive identity documents by simply typing a few letters and numbers into a web browser. The findings reveal a significant data exposure affecting citizens across multiple nations.
The documents included front and back images of driver's licenses and complete passport scans—the type of materials that form the foundation of identity theft. Each image was individually accessible via direct URL, meaning anyone who obtained a link could view the document without authentication.
The exposed files were stored on public-facing servers with no password requirements or IP restrictions. This represents a fundamental security failure, as identity documents should never be accessible without multiple layers of protection.
Such breaches typically occur when organizations fail to implement basic security controls while storing sensitive documents. Common causes include misconfigured cloud storage, inadequate access controls, and a failure to encrypt sensitive data.
The scale of this exposure—nearly one million documents—suggests the vulnerability affected multiple organizations or a single service used by many entities. The documents' diversity indicates victims span multiple countries and potentially multiple industries.
Identity document exposure carries serious consequences for affected individuals. Exposed passports and IDs can be used to open fraudulent accounts, apply for credit, or enable identity theft. Foreign nationals face additional risks, including potential issues with immigration authorities or travel complications.
No details have been released regarding which organizations were responsible for storing the documents, how long they remained exposed, or whether the vulnerability has been patched. The discovery underscores the ongoing challenge of securing sensitive personal data in digital systems, particularly when organizations handle millions of identity documents.
Securityresearchers recommend individuals monitor their credit reports and consider identity theft protection if their documents were among those exposed.
Apple plans to move its Hide My Email feature to a different domain in the coming weeks, a change that could reduce the privacy protection the tool currently provides.
A security researcher discovered a critical vulnerability in FIFA's internal systems that could have allowed unauthorized access to modify World Cup television broadcasts. The flaw exposed multiple internal platforms to potential compromise.
Researchers discovered at least 15 malicious plugins on the JetBrains Marketplace designed to steal AI API keys from developers. The plugins bypassed security checks and posed as legitimate development tools.