Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

European Volleyball Org’s Azure Bucket Exposed Reporter Passports

European Volleyball Org’s Azure Bucket Exposed Reporter Passports

A publicly exposed cloud storage bucket was found to contain images of hundreds of passports and identity documents belonging to journalists and volleyball players from around the world.

These sensitive documents were hosted on a Microsoft Azure blob storage share that was publicly accessible to anyone.

Further investigation by BleepingComputer revealed that the source of the leak was Confédération Européenne de Volleyball (CEV), or European Volleyball Confederation.

Researcher spots exposed Azure storage blob

In November 2020, cyber threat intelligence researcher Bob Diachenko came across a publicly exposed online Azure storage blob that contained hundreds of image scans showing passports and identity documents.

On researching the names present on these ID documents, Diachenko could identify prominent journalists and media representatives who had likely submitted these scans as a part of some “accreditation” process.

Also Read: 5 Common Sections in an Agreement Form Example

Researcher identifies journalists from ID documents exposed by an Azure storage blob
Source: Twitter

BleepingComputer reached out to Diachenko and learned that the location of the exposed storage share was:

This URL contained thousands of headshot images of volleyball players from Europe, Russia, and other countries in both the ‘backup‘ directory and an ‘AccreditationPhotos‘ subfolder.

Also present in the backup directory was a documents folder that contained scans of passports, driver licenses, and identity documents belonging to sports journalists and volleyball players.

Links to these images were soon indexed by GrayhatWarfare, a search engine that captures publicly visible buckets.

Headshots of volleyball sportspeople in the publicly exposed backup storage indexed by GrayhatWarfare
Source: BleepingComputer

Images traced back to European Volleyball Confederation (CEV)

BleepingComputer analyzed hundreds of files present within these directories, including the exposed player headshots and identity documents.

Reverse-image searches for headshots revealed that these well-known European volleyball players were either directly associated with CEV or were part of a volleyball team or federation affiliated with the CEV.

BleepingComputer also found some of CEV’s assets in the bucket, such as branding images with CEV logos on them.

Further, to confirm our findings, we contacted multiple journalists and sportspeople whose identity documents were being exposed online on this Azure blob.

In all cases, BleepingComputer received a positive affirmation from the media representatives and sportspeople that they had indeed submitted their documents to CEV.

“I get my credentials for covering Volley Ball Olympic game qualifications with CEV,” Ludovic Piedtenu, a correspondent of Radio France in Germany, told BleepingComputer.

On seeing the image of the scan, Piedtenu confirmed that it was indeed a copy of his passport that he had submitted to CEV to get his press credentials so he could cover games in Berlin between January 5th and January 10th, 2020.

Also Read: Limiting Location Data Exposure: 8 Best Practices

“Indeed I was accredited in some CEV events, most recently in January in Berlin for Olympic volleyball qualification and as far as I remember I had to provide details of my ID in order to get the accreditation card,” Tomas Kohlmann, a Czech Republic-based sports reporter told BleepingComputer.

“I didn’t give my passport to anyone. Only the CEV and the embassies of [Schengen countries],” a third source told BleepingComputer.

CEV does have an online Media Club accreditation system, which enables media representatives and journalists to register and upload their identity documents for verification.

On reviewing the HTML source code of CEV’s Media Club Accreditation System webpages, BleepingComputer noticed links to the exposed accreditationstorage blob were present on these pages, further confirming the bucket was indeed linked to CEV [12].

Source code of CEV’s Media Club pages has links to the exposed blob to load images
Source: BleepingComputer

CEV silent for months, quietly removes files

After having sufficient confirmation that the publicly exposed “backup” storage bucket was linked to CEV, BleepingComputer reached out to CEV multiple times to report the leak.

BleepingComputer firstreached out to CEV on November 24th, 2020 (the same day of Diachenko’s tweet) via email and on their “out of hours” press helpline, but we did not hear back.

We tried contacting CEV the following day but still did not hear back.

Through December, we continued to reach out to different CEV departments, key personnel via email and LinkedIn, and former employees to inform the organization about the leak without any success.

Finally, on December 11th, we received an acknowledgment from CEV’s legal department that they were investigating the issue, but within five minutes, the sender had recalled their message.

It remains unclear when and how the publicly exposed bucket closed, but as of January 29th, 2021, the links within the backup folder are no longer accessible, as observed by BleepingComputer.

Further, attempting to navigate to via the Microsoft Azure Storage Explorer application now throws an authentication error, “Server failed to authenticate the request. Please refer to the information in the www-authenticate header.”

CEV “accreditationstorage” bucket removes the “backup” folder and now requires authentication
Source: BleepingComputer

All of this indicates the bucket and the sensitive files contained were secured and are no longer publicly accessible.

However, cases of exposed cloud storage buckets leaking sensitive data have occurred time and time again.

Last year, another unsecured Azure blob belonging to a Cayman Islands investment firm exposed identity and financial documents.

In late 2019, BleepingComputer reported millions of Lion Air passenger records being exposed through buckets were exchanged on forums.

When storing sensitive data and backups in cloud storage buckets and blobs, it is mandatory that proper permissions be configured and to cross-check if these assets could be accessed publicly.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us