Topics
Latest
AI
Amazon
Image Credits:Beata Zawrzel / NurPhoto / Getty Images
Apps
Biotech & Health
Climate
Image Credits:Beata Zawrzel / NurPhoto / Getty Images
Cloud Computing
DoC
Crypto
endeavor
EVs
Fintech
Fundraising
Gadgets
gage
Government & Policy
Hardware
layoff
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
surety
Social
blank space
Startups
TikTok
Transportation
speculation
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
Podcasts
picture
Partner Content
TechCrunch Brand Studio
Crunchboard
meet Us
A U.S. online talent card store has secured an online memory server that was publicly exposing hundreds of 1000 of customer government - egress identity operator document to the internet .
A security researcher , who goes by the on-line handleJayeLTee , get hold the publicly exposed storage server tardily last year containing driving licenses , passports , and other identity documents belonging to MyGiftCardSupply , a companionship that sell digital gift identity card for customers to redeem at pop brands and online services .
MyGiftCardSupply ’s website says it necessitate client to upload a written matter of their identity operator documents as part of its submission efforts with U.S. anti - money laundering rule , often get laid as “ recognise your customer ” checks , or KYC .
But the storage server containing the files had no word , allowing anyone on the internet to enter the information stored inside .
JayeLTee alerted TechCrunch to the exposure last workweek after MyGiftCardSupply did not react to the research worker ’s email about the discover data .
When reach by TechCrunch , MyGiftCardSupply founder Sam Gastro confirmed the security relapse . “ The files are now good , and we are doing a full audit of the KYC confirmation procedure , ” said Gastro . “ Going onwards , we are go to cancel the files readily after doing the identicalness check . ”
Gastro would not say how long the data was exposed to the internet , nor would the company commit to send word bear on individuals whose entropy was leave public . Gastro also did not handle why MyGiftCardSupply did not reply to the researcher ’s email or remedy the security system lapse at the time .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
According to JayeLTee , the exposed datum — hosted on Microsoft ’s Azure cloud — contained over 600,000 front and back images of identity documents and selfie picture of around 200,000 customers . It ’s not uncommon for company subject to KYC checks to ask their customers to take a selfie while holding a copy of their identity document to assert that the client is who they say they are , and toweed out forgeries .
The most recent uploaded text file on the server was go steady December 31 , 2024 , a Clarence Day before MyGiftCardSupply guarantee the expose server . chiliad of client upload their identity document in the preceding weeks , suggesting the repositing server was actively used .
This is the latest in along list of incidentsanddata breachesin recent year involving indistinguishability documents for KYC checks , which remains one of the most relied - upon technique for verify a client ’s identity operator .
Last April , a drudge arrogate to havestolen a massive screening database called World - Check , a database used by caller to determine if customers are mellow risk or involved in likely criminalism . A copy of the leaked data point showed the database moderate names , dates of birth , passport and Social Security numbers , and bank report numbers .
JayeLTeeseparately reported on Thursdayfinding another stash of exposed KYC papers , including around 320,000 pass and driver ’s permit , from roommate finding site Roomster . In a blog post , JayeLTee say it was not clear exactly how many soul were affected by the security oversight at Roomster .
CEO John Shriber did not return TechCrunch ’s email request comment . In a statement provided by Roomster ’s cosmopolitan pleader Charles Brofman after publishing , the troupe enunciate it has “ no cause to consider that anyone has whoop the folder or that anyone has accessed the data and used it in any villainous fashion . ”
Roomster wasin 2023 ordered to pay $ 1.6 millionfollowing a Federal Trade Commission ailment for allegedly defrauding gazillion of its user by post unverified listings and imitation reviews .
update with statement from Roomster .
