An American online gift card store has secured an online storage server that publicly exposes hundreds of thousands of users' government-issued identification documents to the Internet.
Security researcher who deals online JayeLTeedriving licenses; MyGiftCardSupply, which late last year found a publicly disclosed storage server containing passports and other identity documents, is a company that sells digital gift cards to customers of popular brands and online services.
MyGiftCardSupply's website says customers are required to upload a copy of their identity document as part of efforts to comply with U.S. anti-money laundering regulations, known as “know your customer” checks, or KYC.
But the storage server containing the files has no password, allowing anyone on the Internet to access the data stored inside.
JayeLTee alerted TechCrunch of the exposure last week after MyGiftCardSupply did not respond to a researcher's email about the exposure data.
MyGiftCardSupply founder Sam Gastro confirmed the security breach when reached by TechCrunch. “The files are now secure and we are going through the full KYC verification procedure,” Gastro said. “Go ahead, files will be deleted immediately after authentication.”
Gastro did not say how long the data was exposed to the Internet, and the company would not commit to informing those affected by the release of the information to the public. Gastro also did not mention that MyGiftCardSupply did not respond to the researcher's email or remediate the security breach at the time.
According to JayeLTee, the disclosed data received in Microsoft's Azure cloud contained identity documents and more than 600,000 before and after images of about 200,000 users. KYC checking companies ask their customers to take a selfie while holding a copy of their identity document to confirm who the customer is and Get rid of counterfeits..
The last uploaded document on the server was the day before the MyGiftCardSupply exposed server was secured. December 31 Dated 2024. Thousands of users have uploaded their credentials over the past few weeks, suggesting they actively use the server to store their credentials.
This is the last one. A long list of events versus Data breaches In recent years, KYC checks have included supporting documents; It remains one of the most reliable techniques for verifying a customer's identity.
Last April, it was claimed that there was a hacker. He stole a huge check database called World-Check.Whether clients are high-risk or potentially involved in crime; A database used by companies to determine whether A copy of the leaked data includes names in the database; date of birth It showed passports and social security numbers and bank account numbers.
JayeLTee separately on Thursday. Roommate search site Roomster discovered caches of prominent KYC documents, including around 320,000 passports and driver's licenses. In a blog post, JayeLTee said it was unclear how many people were affected by the security breach at Roomster.
CEO John Shriber did not return TechCrunch's email for comment. In a statement after the release, Roomster's general counsel Charles Brofman said the company had “no reason to believe that anyone hacked the folder or accessed the data and used it in a nefarious way.”
It was a Roomster. He was ordered to pay $1.6 million in 2023. It defrauded millions of consumers by posting unverified listings and fake reviews, according to a Federal Trade Commission complaint.
Updated with a statement from Roomster..