Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 01, 2026 · 6 min read

UK Visa Portal Leaked 100,000 Passports and Selfies Online

An unofficial site called UK Visa Portal—also operating as UK Visit and ETA-Pass and allegedly run by a UAE entity called Active Leadgen LLC—left at least 100,000 applicants' passports, selfies, and home-revealing photo metadata sitting in an Amazon bucket. When TechCrunch asked who was responsible, the company sent lawyers instead of an explanation.

Imagine paying a fee to what looks like a UK government immigration site, uploading your passport scan and a verification selfie, and then finding out the operator was a UAE registered lead generation company that dumped your documents into a misconfigured Amazon bucket reachable from any browser. That is exactly what happened to at least 100,000 visa applicants who used UK Visa Portal—a site styled to look official but unaffiliated with the UK government.

Key Takeaways

  • At least 100,000 passports, verification selfies, and supporting documents from UK Visa Portal applicants were exposed in an unprotected Amazon storage bucket.
  • The site, which also operates under the names UK Visit and ETA-Pass, is allegedly run by Active Leadgen LLC, a company registered in the United Arab Emirates with no UK government affiliation.
  • Some uploaded selfies retained precise EXIF location metadata, in certain cases accurate enough to identify the applicant's home address.
  • The exposed bucket was a backend Amazon storage repository where direct URLs to individual files were guessable; a bug on the front end leaked the full file listing.
  • After TechCrunch published its report on May 26, 2026, the bucket was secured overnight, but the operator responded only through outside counsel at BakerHostetler and crisis firm FTI Consulting—not through any direct statement to affected users.
A worn UK visa application form on a wooden desk next to an opened passport with a blank cover and a phone showing a verification selfie screen

What Is UK Visa Portal and Who Runs It?

UK Visa Portal is not a UK government site. It is a privately operated commercial service that presents itself in a way that has caused at least some applicants to confuse it with the official GOV.UK immigration application path. The same operator runs the site under at least two other brand names, "UK Visit" and "ETA-Pass," all of which collect passport scans, selfies, and supporting documentation in exchange for a fee.

According to TechCrunch's investigation, the company behind the brands appears to be Active Leadgen LLC, a UAE registered entity. The actual UK Electronic Travel Authorisation system, which handles ETA applications for visitors from visa-waiver countries, is operated by the UK Home Office through GOV.UK and never asks an applicant to pay through a third-party portal. Lead generation operators of this type are common in the immigration adjacency: they buy ads against terms like "UK visa application" and "UK ETA fee," capture the upload, and then either resell the lead, route the applicant to the real government site, or quietly forward the case to a partner agent.

How Were the Documents Exposed?

Two failures combined. First, the company's user-uploaded files lived in an Amazon-hosted storage bucket that did not list its contents publicly—but where any individual file could be fetched by its direct URL. Direct URLs are supposed to be unguessable. Second, a backend bug on the UK Visa Portal site itself leaked the full file listing of that bucket, turning what should have been an obscure store of personal documents into a browsable index. Once you have the listing, every URL is downloadable.

According to Cybernews' coverage, the same misconfiguration pattern has hit dozens of immigration adjacent services in the last three years. The fix is trivial—proper bucket policies, randomized object keys, signed URLs with expiry. The recurrence suggests the problem is not technical knowledge but commercial incentive: the operators who run these sites do not pay the cost when a leak happens, because the affected applicants almost never find out.

Why Are the Selfies the Most Dangerous Part?

Passport scans are bad enough. They contain the document number, the holder's full name, date of birth, nationality, and the machine readable zone that is sufficient to open a payday loan, a SIM contract, or a money laundering account in many jurisdictions. But the selfies are worse, for an unintuitive reason: many phones embed GPS coordinates and orientation data into the EXIF metadata of a photograph at the moment it is taken, and TechCrunch found that some of the exposed selfies still carried that data.

EXIF location is often accurate to within a few meters. For an applicant who took the selfie inside their home—as most people do when they need to upload a verification photo on a deadline—those coordinates effectively reveal their home address. The leak therefore exposes not just identity documents but the precise geographic location where each applicant lives, which is exactly the data needed to escalate the breach into in-person scams, targeted harassment, or, for vulnerable applicants, surveillance by an estranged spouse, family, or hostile government.

Visa applicants are a particularly sensitive cohort. Among the people who apply for UK visas are dissidents, asylum seekers, family members of people in protected categories, and journalists working on stories that an originating country would prefer to suppress. For those people, an address leak is not an identity theft problem. It is a personal safety problem. The same risk pattern shows up in the recent Aura identity protection voice phishing breach, where data meant to protect consumers ended up exposing them.

Why Did the Company Send Lawyers Instead of a Statement?

When TechCrunch reached out for comment, the operator did not respond directly. Instead, attorneys from BakerHostetler and crisis communications representatives from FTI Consulting contacted the publication. The attorneys declined to provide proof of authorization to represent Active Leadgen LLC, did not commit to notifying affected users, and did not answer follow up questions about how long the data had been exposed, the root cause, or whether access logs showed any unauthorized downloads.

This is a particular pattern. Outside breach counsel and a crisis comms firm get retained, applicants do not get notified, and the regulator-facing posture becomes "we are investigating" in perpetuity. The UK's Information Commissioner's Office (ICO) requires notification of personal data breaches within 72 hours of discovery, but the rule binds the data controller—in this case, whoever the ICO determines actually controls the Active Leadgen pipeline. With a UAE shell as the operator and no UK office to serve, enforcement gets slow.

What Should You Do If You Used an Unofficial Visa Site?

Six practical steps, in priority order:

  1. Report the passport as potentially compromised. Contact your issuing passport authority and ask what the procedure is for flagging the document for fraud monitoring. In the UK, that is HM Passport Office. For non-UK passports, follow your national authority's identity document fraud line.
  2. Watch for phishing that references your visa application. Scammers who buy this kind of leaked data will email you claiming to be from the Home Office, the FCDO, or "UK Visas and Immigration" with detail that looks real—your visa reference, your application date, even a selfie thumbnail. Treat any unsolicited message about your visa case as hostile until proven otherwise.
  3. Strip location metadata going forward. Before uploading any selfie to any commercial service, save it without EXIF data. iOS Photos can do this on share; on Android, the photo editor in Google Photos has a Remove Location option.
  4. Block tracking pixels in your inbox. Phishing operators with a verified email and a name will send follow-up lures with hidden pixels to confirm the address is live. Gblock blocks those invisible pixels before they fire, removing one of the key confirmation channels scammers depend on.
  5. Submit a complaint to the ICO. The UK Information Commissioner's Office accepts public complaints about data protection failures even when the controller is offshore, and the volume of complaints affects enforcement priority.
  6. Use GOV.UK directly next time. All UK immigration applications, including ETAs, can be filed through GOV.UK at the official fee. There is no legitimate scenario in which a third party portal is required.

The Pattern Is Bigger Than One Site

The UK Visa Portal incident is one of many "official looking" private immigration services that have leaked applicant documents in the last twenty four months, including Docketwise immigration data. Each leak follows the same script: a lead generation company collects passports and selfies, hosts them in an Amazon bucket with default settings, and either misconfigures access or accidentally publishes the listing. The applicants never find out unless a journalist or researcher discovers the exposure and the operator's legal team allows a public statement.

Until immigration adjacent services are forced to meet the same standards as the government systems they pretend to be, the safest assumption is that anything uploaded to a non-government site about your visa case is downloadable by someone you would prefer did not have it.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.