The story is a lot more enjoyable in conference talk form than written form imo https://www.youtube.com/watch?v=lijyQ_HAysA
I believe this is the same story covered by Dark Diaries. Very interesting story. https://darknetdiaries.com/episode/84/
Previously:
Finding a former Australian prime minister’s passport number on Instagram (2020) - https://news.ycombinator.com/item?id=34966909 - Feb 2023 (41 comments)
When you browse Instagram and find Tony Abbott's passport number - https://news.ycombinator.com/item?id=24488224 - Sept 2020 (340 comments)
Despite being from 2020, this vulnerability persists in 2025 with many airlines still exposing sensitive data on boarding passes and luggage tags, making "don't post your boarding pass" still relevant security advice.
>Despite being from 2020, this vulnerability persists in 2025 with many airlines still exposing
What is the "vulnerability" by the "airlines" here?
How sensitive is a passport number actually? At first glance it seems like it should be, but is it actually? I honestly don't know.
Online systems sometimes use it as an indicator to prove your identity. When combined with other sensitive data it can be useful for an identity thief.
Edit: The blog post also mentions this:
https://mango.pdf.zone/finding-former-australian-prime-minis...
Can you provide just one example of said systems?
Sure:
- https://www.myid.gov.au/verifying-your-id-in-myid#myid-Austr...
- https://www.afp.gov.au/sites/default/files/PDF/NPC-100PointC...
- https://www.equifax.com.au/personal/identity-verification-10...
The blog post has more use case examples:
https://mango.pdf.zone/finding-former-australian-prime-minis...
US I-94: https://i94.cbp.dhs.gov/search/history-search
Knowing the passport number + name + birthday gives you access to someone's US travel history.
Well that is terrifying.
This reminds me of some tech journo who lost all his iCloud photos including all his photos and videos of his newborn because some scriptkiddles wanted to pwn him and steal his Twitter handle.
They basically used a series of escalation of seemingly innocuous personal data to eventually take over everything.
IIRC they somehow got his last 4 credit card details from Amazon then used that to get through the Apple account recovery flow from there they then had his entire key chain.
So "what is a passport number really used for" is like that but on steroids.
I also recall someone's daily life turned into a nightmare because someone successfully socially engineered their power company and maybe phone company to generally harass them. So while I also have no intuition for why or how a passport number is sensitive I rationally know better and am very careful about even how I discard old boarding passes etc
EDIT also worth adding that as a foreigner/non native my passport number is also often used in place for a social security number
Look up Australia's 100 point proof of identity which is used by Gov and most corporate entities in Australia.
A passport is a primary document (equivalent to a birth certificate) and gives you 60-70 points. It can't be used alone, but in conjunction with another id (forged or stolen) would allow for identify theft.
Presumably you have to present a physical passport, though, for it to count toward those 100 points. The question was what you can do with just the passport number.
Understanding that Australia doesn't have a Social Security ID (as the US does), might explain why passports play a similar role with respect to "proof of identity".
In Australia you start with a birth certificate and photo, and that leads to passport and driving licence. The three of those are the holy trinity of ID (though you'd very rarely be asked for your birth certificate).
With passport and driving licence, you can do anything you want, but at least they are photo ID with some anti-forgery features.
The time to steal someone's identity is before they get their first driver's licence and passport!
The Australian Tax File Number is presumably more similar to the Social Security ID? Millions of Australians don't have a passport. You don't need one for much - it's perhaps the easiest way of verifying citizenship if you already have one but not the only way.
You would only have a TFN if you are working and potentially paying tax. So generally anyone under 16 would not have one.
Closest might be a Medicare Card which gives you access to free/discounted public health that can be used as part of identification. Usually children are on their parents card.
Drivers licence is also a primary identifier, and students can use their school student id.
There is an example in the article
Pretty sure you can use one to sign up for a phone number in Aus
Wait hold on, you have to apply for phone numbers in Australia? You can't just grab a burner from Walmart?
I don't want to bake your noodle, but we also don't have any Walmarts here. Not even one.
Where do you buy your guns, ammo and American flags?
Yes, every phone number gets linked to an ID. You can grab a sim from the supermarket but when you plug it in you've got to activate it which requires ID.
I'm so sorry. Australia is such a draconian nanny state, hell-bent on surveillance and authoritarian control.
It always reminds me a lot of here in the US: Incredible land, a vast ecology, great history and subcultures, and some truly amazing people unfortunately drowned out by a staggeringly large population of loud morons who seem hellbent on voting in the worst possible people to run the whole thing, people who often couldn't care less about the things that make their country truly great, while leaning heavily on populism and deception as a means to retain power.
I wouldn't be surprised if the US eventually requires ID for phone numbers, either, the way things have been going.
Aussie here. It seems fine though?
Like, "buy a burner phone and go offgrid, where nobody knows your name" isn't something I've ever wanted. That's a cowboy dream. Its not really an australian dream. Its certainly not something I've ever wanted. I want to live my life with a competent government and competent police force that - for the most part - I can trust to do the right thing. So long as its not abused, I'm ok with a court order being able to coerce my email provider into giving the police access to my emails. As I understand it, almost all of these requests happen because of crimes. I want the police to solve crimes. Judges here aren't elected. They're mostly retired lawyers trying to do the right thing. I want to trust them. And - I think - for the most part we can.
I lived in Melbourne during the pandemic. Our whole state got shut down hard for months. I can't tell you how weird it was seeing news of protests in NY on our behalf. Like, thats so sweet of you. And so stupid. And so unwelcome. Locals overwhelmingly supported what our state premier, Dan Andrews was trying (and failing) to do. In the next state election, most of the other parties barely bothered campaigning because Dan was so popular.
I get that lots of americans think of australia sort of like a weird extra state. But we're not. We have our own country, our own values, our own culture and our own, super boring constitution. You can see who we are plain as day in this blog post - where eventually Tony Abbott (think Bill Clinton or Obama) calls up the blog post writer on the phone and asks him for tech advice, and admits he doesn't understand anything about computers. Thats the australian way.
Americans having hot opinions about australian politics is like russians having hot opinions about american politics. Even when I agree with you on the details (and I sort of do), its a bit weird and creepy.
Criminals will find a way to work around this. In Russia the SIM card must be linked to the passport, but criminals still manage to make calls and not get caught. I also often buy accounts on black market in order to not provide my data.
Smart, well prepared criminals will find a way around this. But most criminals aren't both smart and well prepared.
I’ve genuinely never once met an Australian who wouldn’t laugh in your face if you were to read that statement to them and ask if they would prefer to live in the US.
Fun fact.
I once bought a very cheap Optus phone just to use for work 2FA (might have been PingID). Never registered it but it could still authenticate via the Optus cell network using a lower level transport protocol. Meant I could use 2FA with no wifi connection and the phone in airplane mode to conserve battery.
Reading the "Why is it bad for someone else to have your passport number?" is scary, especially since when traveling to countries like Spain and Italy, every Airbnb / Hotel requires you to send a picture of your passport. Japanese stores take your passport stamp picture for their tax-free, which contains the number on the page. Some embassies even take your passport for a few days before returning it with the visa.
Why do we treat passport numbers as passwords instead of a login?
> especially since when traveling to countries like Spain and Italy, every Airbnb / Hotel requires you to send a picture of your passport.
They're required to, it's part of the in-person hotel check-in process to require showing photo id, and registering all guests with the local police department.
If you're a foreigner, and rather use a service where in-person check-in is impractical, they'll naturally ask for a photo to meet their legal obligations.
> Why do we treat passport numbers as passwords instead of a login?
Because some stupid people thought that photos of passports have any security / validity (including banks, brokerage firms). Interestingly none of them would accept photos of cash as payment though.
I once checked in at a pretty decent hotel in India and realised that they used re-used customers passport scans and invoices to print wifi coupons! I strongly complained but I don’t really know if they’ve changed.
[dead]
Also a security tip, mosaic like he used in the picture is not a safe way to hide sensitive data, especially the one that has movement like in the gif where he is scrolling down, the mosaic changes and gives more data to reconstruct original. The safe way is to fully black out, but be wary of not plain color almost opaque marker tools, it could look like black out but playing with contrast will still reveal the data.
Also a security tip, don't publicly post inane and pointless things to the internet, no matter how humbly you want to brag about being on an airplane.
I love this blog post. Its a classic.
Its a challenge to make things easy to use - whilst keeping them secure enough. The fact that all I need is a PNR to cancel your flight is insane
Love the humor. I am a fan of Alex's writing style!
It's a shame he apparently no longer blogs. His posts are gold.
They/them based on their socials (and iirc, I think that's what they went by at Crikeycon) https://x.com/mangopdf
> Born January 1, 1970
Lol. That's _so_ in character
[flagged]
> Based on advice I got from two independent lawyers that was definitely not legal advice: I haven’t done a crime.
I will trust his lawyers are right _for Australia only_ (although I have my doubts, and would love to see their reasoning), but in the UK this feels like a clear breach of the Computer Misuse Act[0], and I can't recommend enough that you don't do this.
Same in Germany. Just accessing data you are not supposed to access is a crime, regardless of whether you used the data in any illegal ways.
What a great story teller! Well done Alex.
Love it
Really interesting, but the writing was so bad I had to bail out halfway through.
I think it was all written for the thing it was trying to be. Which is a casual humorous take on the journey this person went through with a little tech education sprinkled in. Any more formal or sophisticated and it would've lost some of the casual humor and been less an interesting journey. But did so in a way much less aggravating than what qualifies for a food recipe these days.
> I had to bail out halfway through
Telling us you didn't read the article is exactly the kind of unsubstantive comment we don't want on HN. The comments thread is for people who did read the article and have something to say about the content.
This kind of comment breaks the guidelines particularly these ones:
Be kind. Don't be snarky. Converse curiously...
Don't be curmudgeonly. Thoughtful criticism is fine, but please don't be rigidly or generically negative.
Please don't fulminate. Please don't sneer....
Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.
Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, flag it. Don't feed egregious comments by replying; flag them instead. If you flag, please don't also comment that you did.
Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
Please take a moment to remind yourself of the guidelines and make an effort to observe them in future.
[dead]
Who asked?
tomhow is a HN moderator.
I enjoy the meandering style but it did become a little long because of the meandering, glad I skipped ahead instead of just closing tho
Earth revolves around the Sun? Let's see. In a twin-star system which one is going around the other? Let's make one of them have higher mass. Did the heavier one completely stop going around, or does it still wobble a bit? That wobble mean the heavier one is still going around their common center of mass. Also, since there is no static fixed point in the space, the interpretation of movement of Sun and Earth could be very subjective to the reference frame selected. There is nothing wrong if someone wants to consider Earth as that fixed point for some arbitrary local reference frame. Infact, a lot of calculations that matter to human life on Earth require that.