A publicly accessible server hosted by Amazon allowed anyone with a web browser to access potentially hundreds of thousands of personal documents, including driver’s licenses and passports, from the Duc App. This sensitive information was collected during identity verification processes.

Despite being owned by Duales, a Canadian fintech firm, it took until TechCrunch alerted them that users could view this data without needing a password or decryption. The data included user-uploaded selfies to prove their identities, along with spreadsheets listing customer names and transaction details.

Duales CEO Henry Martinez González admitted the data was stored on a 'staging site,' which is typically used for testing purposes, but did not provide an explanation as to why this information was publicly accessible. The files, dating back to September 2020, were only made inaccessible after TechCrunch's intervention.

As more apps rely on users uploading government-issued documents to verify their identities, incidents like these highlight the need for better data security measures. In recent years, high-profile companies have inadvertently exposed sensitive information due to misconfigurations, underscoring a broader issue within tech.