Exploitation of Online Gift Card Store Reveals Identity Documents of Hundreds of Thousands of People.

A U.S. website dedicated to selling gift cards online has managed to secure a storage server that publicly exposed hundreds of thousands of government-issued identity documents. A security researcher known online as JayeLTee detected the exposed server late last year. It contained driver's licenses, passports, and other identity documents belonging to MyGiftCardSupply, a company that specializes in selling digital gift cards for redemption at prominent brands and online services.

MyGiftCardSupply mentions on its website that it requires customers to upload copies of their identity documents as part of its efforts to comply with U.S. anti-money laundering regulations, commonly known as "know your customer" or KYC checks. However, the server where the files were stored lacked a password, allowing anyone on the internet to access it. JayeLTee alerted a media outlet about the exposure last week after MyGiftCardSupply did not respond to his email regarding the exposed information.

Sam Gastro, founder of MyGiftCardSupply, confirmed the lack of security. He stated that "the files are now secure and we are conducting a thorough audit of the KYC verification process." He also asserted that in the future, files would be deleted immediately after identity verification is completed. However, he did not specify how long the information was exposed, nor did he commit to notifying the individuals affected by the publication of their data. The reason MyGiftCardSupply did not respond to the researcher’s email or take action to remedy the vulnerability at that time also went unanswered.

According to JayeLTee, the exposed data, hosted on Microsoft Azure's cloud, included over 600,000 images of identity documents and selfies of approximately 200,000 customers. It is common for companies subjected to KYC checks to ask customers to take a selfie holding their identity document to verify its authenticity and prevent fraud. The most recent document uploaded to the server was dated December 31, 2024, one day before MyGiftCardSupply secured the exposed server, suggesting that the use of the storage was active.

This incident adds to a long list of security breaches that have occurred in recent years related to identity documents in KYC checks, which are a widely used technique to verify customer identity. Last April, a hacker claimed to have stolen a massive database called World-Check, which is used by companies to identify high-risk customers or those involved in potential criminal activity. A copy of the leaked data showed that the database contained names, birth dates, passport and Social Security numbers, as well as bank account numbers.

JayeLTee also reported the emergence of another set of exposed KYC documents, including around 320,000 passports and driver's licenses from a roommate search site called Roomster. In a blog post, he mentioned that it was unclear how many people were affected by this security breach at Roomster. The company's CEO, John Shriber, did not respond to requests for comment. In a statement provided by Roomster's general counsel, Charles Brofman, the company indicated that it "has no reason to believe that anyone hacked the folder or that anyone accessed the data and used it improperly." Roomster was ordered in 2023 to pay $1.6 million after a complaint from the Federal Trade Commission for allegedly defrauding millions of its users by posting unverified ads and fake reviews.