Key developments
Tabiq bucket exposed million passport scans
WebProNews reported that Reqrea's Tabiq hotel check-in platform left a public Amazon S3 bucket named "tabiq" exposing passports, driver's licenses, and facial verification photos from more than one million records spanning early 2020 onward. Researcher Anurag Sen found the bucket without authentication, and Reqrea plus Japan's JPCERT locked it down within hours; the company says it will review access logs and notify affected guests.
Why it matters
The exposure involves highly sensitive identity and biometric data that can fuel long-term fraud and compliance risk.
Sources & driving stories
WEBPRONEWS · Victoria Mossi
WebProNews coverageAlberta injunction targets leaked voters list
Yahoo reported that Elections Alberta obtained an injunction ordering Centurion Project to remove an online database authorities say matched a voters list provided to the Republican Party in June. The chief electoral officer is also seeking a permanent order to destroy copies, while the province waits on investigations by Elections Alberta, the privacy commissioner, and the RCMP before deciding whether to change the law.
Why it matters
The case could reshape how much voter data political parties can receive and how securely it must be handled.
Sources & driving stories
YAHOO
Yahoo coverageTycoon2FA returns with device-code phishing
BleepingComputer reported that Tycoon2FA rebuilt after a March disruption and is now using OAuth 2.0 device authorization grant phishing to steal Microsoft 365 accounts. The campaign starts with invoice-themed Trustifi tracking links, moves through Cloudflare Workers and obfuscated JavaScript, then tricks victims into entering a device code at microsoft.com/devicelogin; eSentire also said the kit blocks common analysis tools and maintains a 230-name vendor blocklist.
Why it matters
The new flow shows phishing kits continuing to adapt around MFA protections and steal cloud tokens at scale.
Sources & driving stories
BLEEPINGCOMPUTER · Bill Toulas
BleepingComputer coverageWorth noting
WORTH NOTING
Fidelity breach settlement awaits approval
The $2.5 million deal would resolve claims over a 2024 network intrusion affecting more than 155,000 customers, but a court hearing is still pending.
WORTH NOTING
Windscribe threatens Canada exit over Bill C-22
The VPN provider says the proposed law could require logging and conflict with its no-logs model.
Still unclear
OPEN QUESTION
Did anyone access the Tabiq bucket?
Reqrea is still reviewing access logs, so the true scope of exposure and notification obligations remains unknown.
OPEN QUESTION
Will Alberta restrict full voters-list access?
The leak and injunction could push the province toward narrower disclosure rules for elector data.