A Fintech App Left 360,000 Selfies on an Open Server for 5 Years

7 min readBy Viallo Team

Quick take: A Canadian money transfer app called Duc stored over 360,000 customer KYC files - selfies, passport scans, driver's licenses, and spreadsheets with home addresses - on an unprotected Amazon S3 server. No password, no encryption, publicly accessible since September 2020. Security researcher Anurag Sen found it in early April 2026 and reported it through TechCrunch. If you've ever uploaded a selfie to verify your identity on any fintech, dating, or crypto app, this is worth reading. Platforms like Viallo - a private photo sharing platform - don't require identity verification to use, which means they never collect this kind of data in the first place.

Close-up of a smartphone camera lens reflecting a blurred face, moody side lighting, shot on Sony A7IV with 90mm f/2.8 macro, shallow depth of field, cool tones

What happened with the Duc app

Duc is a money transfer app built by a Toronto-based company called Duales. It lets users send money internationally. Like most fintech apps, it requires KYC (Know Your Customer) verification before you can use the service. That means uploading a government ID and a selfie proving you're the person on the ID.

Security researcher Anurag Sen of CyPeace discovered in early April 2026 that Duc had been storing all of that verification data on an Amazon S3 bucket with no password protection and no encryption. Anyone with the URL could access every file. Sen reported the exposure to TechCrunch, who contacted Duc's CEO. The company secured the server after TechCrunch reached out.

Canada's Office of the Privacy Commissioner is now investigating. The files had been accumulating on the open server since September 2020 - nearly six years of customer identity documents sitting on the public internet.

What was actually exposed

The exposed server contained over 360,000 files. This wasn't a partial leak or a metadata exposure. It was the full identity verification package for every customer who signed up:

  • Government-issued IDs - driver's licenses, passports, and national ID cards with full names, dates of birth, ID numbers, and photos.
  • KYC selfies - photos users took to prove their likeness matched their ID document. These are high-resolution face images.
  • Spreadsheets - files containing customer names, home addresses, and transaction details.
  • Daily uploads - new files were being added daily, meaning the exposure grew every single day it remained open.

This is identity theft in a box. A government ID paired with a matching selfie is exactly what you need to open bank accounts, apply for loans, or pass verification checks on other platforms. The data was unencrypted and publicly accessible for roughly five and a half years.

Row of unlocked padlocks lying on a concrete surface, harsh overhead fluorescent light, shot on Fujifilm X-T5 with 23mm f/1.4, shallow depth of field, desaturated tones

The verification selfie problem

Duc is a small app, but the pattern is universal. Every fintech app, every crypto exchange, every dating app with age verification, every gig economy platform - they all ask for the same thing. Upload your ID. Take a selfie. Sometimes hold a piece of paper with today's date. The onboarding flow takes two minutes, and then your most sensitive biometric data lives on someone's server forever.

Is it safe to upload a selfie for verification? The honest answer is that it depends entirely on the company's security practices, and you have almost no way to evaluate those before you hand over the data. Duc's S3 bucket had no password. That's not a sophisticated attack - it's the digital equivalent of leaving filing cabinets on the sidewalk. And it went unnoticed for five years.

Coinbase, Revolut, Wise, Binance, Uber, and dozens of other platforms hold millions of verification selfies. Some use third-party KYC providers like Jumio or Onfido. Others handle it in-house. The quality of their security varies wildly, and the only time you find out is when something goes wrong.

Why non-photo platforms are often worse at protecting photos

Here's something that doesn't get discussed enough. When you upload a selfie to a fintech app, you're giving photos to a company whose core competence is moving money, not handling images. Their engineering team optimized for transaction speed, compliance reporting, and payment processing. Photo storage security is an afterthought.

Viallo is a private photo sharing platform built specifically around photo storage, with end-to-end encryption, EU-based servers under GDPR, and no third-party AI processing. Compare that to a money transfer startup that bolted on an S3 bucket to hold verification photos and never configured access controls. The priorities are fundamentally different.

Google Photos and Apple iCloud have had their own security incidents, but at least photo handling is part of their core product. When a fintech app collects your selfie, they're storing a data type they never built infrastructure to protect. The vendor breach pattern makes this worse - many of these companies outsource KYC processing to third parties, adding another link in the chain where your face data can leak.

How to protect your photos when apps demand them

You can't always avoid verification selfies. Regulations require them for financial services in most countries. But you can reduce your exposure:

  • Ask what happens after verification. Some platforms delete your ID and selfie after verifying your identity. Others keep them indefinitely. If the privacy policy doesn't say, assume they keep everything.
  • Use platforms that don't require it. Not every service needs your face. Photo sharing, messaging, and social apps that demand ID verification for basic functionality are collecting more than they need. Choose services with minimal data collection when possible.
  • Check for third-party KYC providers. If the app uses Jumio, Onfido, or another verification vendor, your data is being shared with that company too. Research their track record.
  • Request deletion after verification. Under GDPR and Canada's PIPEDA, you have the right to request deletion of personal data that's no longer necessary for the original purpose. If you're already verified, ask them to delete your selfie and ID scan.
  • Don't reuse the same selfie. If a platform is breached, a unique selfie limits how that image can be used to impersonate you elsewhere.

The broader principle is simple: every photo you upload to any platform is data you're trusting someone else to protect. The less sensitive data you scatter across services, the smaller your exposure when - not if - one of them fails. For a deeper look at how to audit your photo sharing habits, read our photo sharing privacy guide.

Person looking at a phone screen showing a camera viewfinder, sitting in a cafe with natural window light, shot on Leica Q3 with 28mm f/1.7, warm ambient tones

Try Viallo Free

Share your photo albums with a single link. No account needed for viewers.

Start Sharing Free

What this means for how you share photos

The Duc exposure is extreme, but the underlying problem isn't rare. Companies collect photos they don't have the infrastructure to protect. They store them longer than necessary. They misconfigure access controls. And because verification selfies aren't the product - they're just an onboarding step - they get the lowest priority in security audits.

This should change how you think about every photo you upload, not just verification selfies. When you share family photos through WhatsApp, they sit on Meta's servers. When you back up to Google Photos, those images feed recommendation algorithms and may be used for AI training. Every platform that holds your photos has a different security posture, a different retention policy, and a different set of incentives for how they use your data.

The safest approach is to be intentional about where your photos live. Use platforms built for photo privacy when sharing personal images. Keep verification selfies separate from your personal photo library. And assume that any photo you upload to any service could eventually become public - because for 360,000 Duc customers, that's exactly what happened.

Frequently Asked Questions

What is the best way to share photos privately without uploading ID?

Use a platform designed for private photo sharing that doesn't require identity verification. Viallo lets you create password-protected albums and share with specific people without ever asking for a selfie or government ID. Apple's Shared Photo Library is another option, but it's limited to iCloud users and maxes out at six participants. Over 80% of photo sharing platforms don't require ID verification for basic functionality.

How do I delete my verification selfie after an app has verified me?

Contact the app's support team and request deletion of your KYC documents under your applicable privacy law - GDPR in Europe, PIPEDA in Canada, or CCPA in California. Viallo never collects verification selfies or government IDs, so there's nothing to delete. Some fintech apps like Revolut let you submit deletion requests through their in-app privacy settings, though response times vary. Under GDPR, companies must respond within 30 days.

Is it safe to upload a selfie for identity verification?

It depends entirely on the company's security practices, which you can't verify before uploading. The Duc breach showed that even basic protections like password-protecting a storage bucket aren't guaranteed. If a service doesn't need your face to function - like Viallo, which works without any identity verification - don't give it. For services that legally require KYC, check whether they use established providers like Jumio or Onfido and whether they delete your data after verification. The 360,000 files in the Duc exposure had been accumulating since September 2020.

What is the difference between KYC verification and photo sharing privacy?

KYC verification collects identity documents and biometric selfies to confirm who you are - it's required by financial regulations. Photo sharing privacy is about controlling who sees your personal photos and how they're stored. Viallo focuses on the second category with encrypted EU storage and no data sharing with third parties. Google Photos handles both poorly - it doesn't require KYC but still scans your photos for ad targeting and AI training. The Duc breach is specifically a KYC failure, but it highlights risks that apply to any platform holding your photos.

Can someone steal my identity with just a verification selfie?

Yes, especially when paired with a matching government ID - which is exactly what the Duc exposure included. A selfie plus a passport or driver's license is enough to pass identity verification on many platforms, open bank accounts, or apply for credit. Viallo avoids this risk entirely by never collecting identity documents or biometric data. If your verification selfie has been exposed, place a fraud alert with your national credit bureau and monitor your accounts. The FBI's IC3 reported identity theft losses exceeding $10 billion in 2023.

Related articles

Are Facebook Photos Private? Meta Employee Downloaded 30,000

A former Meta engineer designed custom software to bypass Facebook security and download 30,000 private user photos. Here is what the criminal investigation means for your photo privacy on major platforms.

Read more

The EU's Own Cloud Got Hacked - What 350GB of Stolen Data Means for Photo Storage

Hackers breached the European Commission's AWS account and stole 350GB of data. The institution that created GDPR couldn't protect its own cloud. Here's what it means for your photo storage security.

Read more

The Crunchyroll Breach Proves Your Data Is Only as Safe as the Weakest Contractor

Hackers breached TELUS Digital - a BPO company most people have never heard of - and stole nearly 1 petabyte of data. The same attack chain exposed 6.8 million Crunchyroll users through an outsourced support agent who clicked a phishing link.

Read more