A U.S. online gift card store has secured an online storage server that was publicly exposing hundreds of thousands of customer government-issued identity documents to the internet.
A security researcher, who goes by the online handle JayeLTee, found the publicly exposed storage server late last year containing driving licenses, passports, and other identity documents belonging to MyGiftCardSupply, a company that sells digital gift cards for customers to redeem at popular brands and online services.
MyGiftCardSupply’s website says it requires customers to upload a copy of their identity documents as part of its compliance efforts with U.S. anti-money laundering rules, often known as “know your customer” checks, or KYC.
But the storage server containing the files had no password, allowing anyone on the internet to access the data stored inside.
JayeLTee alerted TechCrunch to the exposure last week after MyGiftCardSupply did not respond to the researcher’s email about the exposed data.
When reached by TechCrunch, MyGiftCardSupply founder Sam Gastro confirmed the security lapse. “The files are now secure, and we are doing a full audit of the KYC verification procedure,” said Gastro. “Going forward, we are going to delete the files promptly after doing the identity verification.”
Gastro would not say how long the data was exposed to the internet, nor would the company commit to notifying affected individuals whose information was left public. Gastro also did not address why MyGiftCardSupply did not reply to the researcher’s email or remediate the security lapse at the time.
According to JayeLTee, the exposed data — hosted on Microsoft’s Azure cloud — contained over 600,000 front and back images of identity documents and selfie photos of around 200,000 customers. It’s not uncommon for companies subject to KYC checks to ask their customers to take a selfie while holding a copy of their identity documents to verify that the customer is who they say they are, and to weed out forgeries.
The most recent uploaded document on the server was dated December 31, 2024, a day before MyGiftCardSupply secured the exposed server. Thousands of customers uploaded their identity documents in the preceding weeks, suggesting the storage server was actively used.
This is the latest in a long list of incidents and data breaches in recent years involving identity documents for KYC checks, which remains one of the most relied-upon techniques for verifying a customer’s identity.
Last April, a hacker claimed to have stolen a massive screening database called World-Check, a database used by companies to determine if customers are high risk or involved in potential criminality. A copy of the leaked data showed the database contained names, dates of birth, passport and Social Security numbers, and bank account numbers.
JayeLTee separately reported on Thursday finding another cache of exposed KYC documents, including around 320,000 passports and driver’s licenses, from roommate finding site Roomster. In a blog post, JayeLTee said it was not clear exactly how many individuals were affected by the security lapse at Roomster.
CEO John Shriber did not return TechCrunch’s email requesting comment. In a statement provided by Roomster’s general counsel Charles Brofman after publication, the company said it has “no reason to believe that anyone has hacked the folder or that anyone has accessed the data and used it in any nefarious way.”
Roomster was in 2023 ordered to pay $1.6 million following a Federal Trade Commission complaint for allegedly defrauding millions of its users by posting unverified listings and fake reviews.
Updated with statement from Roomster.
