TechCrunch finds 100 K passport scans and selfies on a public-read S3 bucket behind a UK Visa Portal lookalike

TechCrunch reported on 2026-05-27 that ukvisaportal.com — a third-party site marketed as an immigration portal but not affiliated with the UK Government — exposed roughly 100,000 documents via a misconfigured Amazon S3 bucket. The bucket was not publicly listed, but a backend bug exposed directory listing, enabling enumeration of every object; individual files were readable to anyone with the URL. Exposed material included full passport pages (passport number, nationality, DOB, place of birth, issue / expiry dates), accompanying address documents and selfie photographs whose EXIF GPS metadata could pinpoint the applicant's home address. The operator — UAE-registered Active Leadgen LLC — marketed under brand names including "UK Visit" and "ETA-Pass" and impersonated the official GOV.UK service; some applicants told TechCrunch they paid fees believing it was the genuine government portal. TechCrunch and TechRadar report the bucket was secured overnight after publication; no ICO breach notification has surfaced in-window.