FacePass, a Brazil-focused app used for identification purposes, has leaked over 1.6 million files, exposing users and the company’s system credentials.
As many of us who’ve confirmed identity using an app know, trusting it to prioritize security is important. However, the Cybernews research team recently discovered an exposed AWS S3 bucket belonging to FacePass, which was leaking sensitive customer and company files.
FacePass is widely used in Brazil to buy tickets and attend events across the world’s fifth-largest country. The app leverages facial recognition tech, requiring users to upload selfies and national IDs, with the app confirming whether there’s a match.
“This trove of exposed data places users at significant risk of identity theft, financial fraud, and targeted phishing attacks. Cybercriminals could leverage national IDs and selfies to bypass biometric verification systems, impersonate victims, or gain unauthorized access to financial accounts,” our researchers said.
The company has fixed the issue after being contacted by our team. We have also reached out to the app’s makers for official comment and will update the article once we receive a reply.
What FacePass data was leaked?
According to the team, the exposed instance contained numerous sensitive records, such as:
- Brazilian national IDs
- Selfies for ID verification
- AWS access key ID, other secrets
- Full names
- CPF numbers (Brazilian taxpayer registry)
- Phone numbers
Researchers believe that there is more than enough data for attackers to commit identity theft. That’s not surprising, as most of the information FacePass collects is meant precisely for ID verification.
“Cybercriminals can pair national ID details with selfies to circumvent biometric verification systems, enabling financial fraud or unauthorized access to sensitive accounts,” researchers said.
Moreover, the attackers could set up convincing phishing attacks, leveraging leaked personal data. For one, malicious actors could craft convincing emails or messages designed to steal additional sensitive information or money from users.
“Cybercriminals can pair national ID details with selfies to circumvent biometric verification systems, enabling financial fraud or unauthorized access to sensitive accounts.”
Another major risk from the leaked data concerns the company itself. Since the exposed database contained AWS credentials, attackers could gain unauthorized entry to the company systems, allowing cybercrooks to extract, modify, and delete sensitive data.
Since some of the names, SPF numbers, and phone numbers were stored in a single file, attackers could repurpose it for fraud and scam campaigns or even sell it on the dark web.
“Personal details from the leaked Excel files provide the means to orchestrate tailored phishing schemes or phone-based scams, where attackers may impersonate FacePass or other trusted entities to extract further sensitive information or payments,” the team said.
To prevent similar issues in the future, our researchers advise FacePass to:
- Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access.
- Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
- Enable server-side encryption to protect data at rest.
- Use AWS Key Management Service (KMS) for managing encryption keys securely.
- Consider implementing security best practices including regular audits, automated security checks, and employee training.
- Leak discovered: January 30th, 2025
- Initial disclosure: January 30th, 2025
- CERT contacted: January 30th, 2025
- Leak closed: February 19th, 2025
Your email address will not be published. Required fields are markedmarked