A Fake UK Visa Site Left 100,000 Passports and Selfies Exposed Online, Then Threatened to Sue the Reporter

TechCrunch was able to verify the authenticity of the leak by contacting several individuals whose personal data was found among the exposed records, confirming that the documents matched real applications . The scale of the incident was immense: at least 100,000 sensitive documents were believed to be vulnerable .

Who Was Behind UK Visa Portal?

The website operated as a completely independent commercial service with no affiliation to the Home Office or GOV.UK . It was reportedly operated by Active Leadgen LLC, a company registered in the United Arab Emirates . The platform charged fees to assist users with UK Electronic Travel Authorisations (ETAs) and other immigration-related applications—processes that can often be completed by users directly on GOV.UK for free or at a much lower cost .

The site also lacked an essential feature of any platform handling such sensitive information: a proper point of contact or bug-reporting mechanism for reporting security issues . This absence likely extended the time the data remained exposed, as there was no easy way for researchers or users to flag the problem.

The Company’s Response: Legal Threats Over Remediation

The most controversial aspect of the incident was how the company chose to act—or rather, not act—once the problem was uncovered. When TechCrunch reached out to alert the company and prepared to publish its findings, the report indicated that UK Visa Portal had not fixed the security lapse at the time of publication .

Instead of immediately securing the exposed servers and issuing a public disclosure or user notification, the operator took a different route. Reports confirmed that Active Leadgen LLC dispatched legal representatives in an apparent attempt to threaten TechCrunch over the publication of the story . The bucket was only secured overnight hours after TechCrunch’s story went live—not before publication, and not in response to the ethical disclosure .

Implications and Risks for Victims

The exposed data set created a serious risk of identity theft and fraud. By combining high-resolution passport scans with verification selfies and potentially GPS metadata, malicious actors could potentially use the data to conduct financial fraud, open accounts, or carry out social engineering attacks . Because many victims had little reason to suspect they were using a non-government service, the exposure came as a shock. The official UK government channel for visa applications remains GOV.UK, and this incident serves as a stark reminder to scrutinize third-party services that request highly sensitive identity documents.