en

Language

08 Jul 2026 in Identity fraud

Top 5 Biggest ID Verification Incidents of Q2 2026

Jan Stepnov

Identity Verification Expert

In our opinion, Q2 2026 showed how much risk collects around the evidence created by numerous identity checks. Now, of course, ID documents, biometric records, age decisions, account identifiers, and verification logs reduce risk at first — but then they become risk of their own when they are stored too loosely or trusted without enough session proof.

This so-called identity signal debt creates future responsibility and has the potential to turn into breach fuel.

In this breakdown of ID verification news, we cover five big incidents that may differ by sector, but expose the same operating problem: how identity signals are captured, checked, stored, reused, attacked, and explained later.

Subscribe

Subscribe to receive a bi-weekly blog digest from Regula

1. Instructure (Canvas): Unverified trusted accounts

What happened

Instructure’s Canvas platform became one of Q2’s loudest ID verification news after ShinyHunters claimed responsibility for stealing data and defacing Canvas login portals. Instructure said it detected unauthorized activity on April 29 and later took parts of Canvas offline while it investigated and restored service. 

Public reporting said the exposed data included names, email addresses, student ID numbers, and some private messages; Instructure said passwords, dates of birth, government identifiers, and financial information were not part of the confirmed data set.

Canvas hack extortion message

The incident became much more visible on May 7, when Canvas login pages at roughly 330 schools were defaced with an extortion message.

Instructure later said it had reached an agreement with the hackers to have the stolen data deleted, while also acknowledging that deletion could not be fully guaranteed.

Why it (likely) happened

The U.S. Department of Education’s Federal Student Aid office said Instructure had publicly confirmed that bad actors compromised Canvas through Free-for-Teacher accounts, a no-cost account type commonly used outside enterprise-managed environments. The FSA security alert mentioned the raised risk of accounts lacking MFA and urged schools to rotate integrations, SSO connectors, and API keys.

That makes it a trust-granting problem: education platforms need to know who can create classrooms, invite users, send messages, use integrations, and touch institutional data. When free or lightly reviewed accounts can reach product areas that users treat as trusted, account creation becomes part of the identity risk model.

What to do to avoid a similar case

  • Verify who can create trusted classrooms, workspaces, tenants, or review spaces, especially when those accounts can invite users or send messages.

  • Put stricter checks on free, self-service, or lightly reviewed account programs if they can touch institutional data, integrations, or shared login pages.

  • Watch account-creation paths for mass invites, unusual messaging, abnormal API use, or changes to visible login content.

2. Carnival Corporation: Social-engineered access

What happened

Carnival Corporation confirmed a breach affecting 5,995,277 people, according to public reporting based on the company’s filing with the Maine Attorney General. The company’s own substitute notice said an unauthorized actor used social engineering to deceive an employee and gain access to a limited part of its IT system. Carnival said it first determined on April 22 that personal information had been copied.

Reportedly exposed data included names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers such as passport and driver’s license numbers. BleepingComputer and other outlets linked the incident to the aforementioned ShinyHunters, which also claimed responsibility for several other large 2026 extortion attempts.

Why it (likely) happened

Carnival’s own notice points to staff-side social engineering as the entry route. The attacker did not need to pass as a passenger; they only needed employee access to a part of the IT estate that held passenger data.

That is important because staff permissions often live close to identity evidence. Support, booking, fraud review, and operations tools may expose passport numbers, document fields, verification status, case attachments, or bulk search results. If a staff account can reveal or export those fields, that account is part of the identity proof system.

What to do to avoid a similar case

  • Mask passport and driver’s license numbers by default in support, booking, and operations tools.

  • Require step-up staff authentication for identity-data exports, bulk searches, verification-status changes, and manual overrides.

  • Separate booking permissions from identity-evidence permissions, since many staff members need passenger context without full document fields.

3. France Titres (ANTS): Static data exposure

What happened

France Titres, the agency behind the ANTS portal for official documents and vehicle registration services, detected a security incident on April 15. The agency said the incident could have exposed data from individual and professional accounts on ants.gouv.fr. The official update listed possible fields such as login identifier, title, surname, first names, email address, date of birth, unique account identifier, and, in some cases, postal address, place of birth, and phone number.

A later update put the number of potentially concerned accounts at 11.7 million. The Ministry also said investigations at that stage excluded additional procedure files, attachments, and biometric data, and that the disclosed data did not allow illegitimate access to named accounts on the portal.

Why it (likely) happened

The ID verification risk comes from what the exposed data can do after it leaves an official portal. Names, birth dates, addresses, phone numbers, and account identifiers can make phishing or account recovery abuse more convincing, even when they do not give direct portal access.

The main lesson is that correct personal data may still be weak proof. For example, a date of birth can match the real person and still be widely exposed. That’s why static fields become less reliable when they have been copied from a trusted source and can be reused elsewhere.

What to do to avoid a similar case

  • Do not let static personal data carry account recovery or re-verification on its own, even when the data is correct.

  • Treat exposure through official-service portals as a reason for step-up checks during recovery, document resubmission, address changes, or payout setup.

  • Anchor higher-risk decisions in stronger proof: document authenticity, biometric binding, trusted capture, and account history.

4. Telegram: KYC bypass tooling

What happened

In April, reporting based on an MIT Technology Review investigation described a growing Telegram market for tools designed to bypass KYC facial checks. Biometric Update and other summaries said researchers identified public Telegram channels or groups selling virtual camera tools, stolen biometric data, deepfake media, and methods for defeating facial biometric checks used by financial institutions, crypto services, and payment apps.

This case is different from the others because it is not a single-company breach. It is better understood as a fraud-market story: KYC bypass is being packaged, advertised, and sold to people who do not need to build the tools themselves.

Why it (likely) happened

The most useful reported detail is the virtual camera method. Instead of using a live phone camera feed for a liveness check, a fraudster can try to substitute a video, image, deepfake, or other media source. That moves the attack before the verification decision, into the capture process itself.

That has a direct effect on how KYC teams should read biometric results. A clean face match has limited value if the camera feed was substituted. Liveness needs to resist injection and replay, not only printed-photo or screen attacks. Document, face, device, and session data need to be reviewed together because the mismatch between them may be the clearest warning.

What to do to avoid a similar case

  • Test onboarding against virtual cameras, injected video, emulators, remote-control tools, and app tampering, not only printed-photo attacks.

  • Treat face match and liveness as incomplete without capture-channel checks.

  • Give reviewers one case record containing document, biometric, device, and session results, so mismatches are visible.

5. Youngtek Solutions and First Time Videos: Absent age assurance

What happened

Ofcom’s Q2 age-assurance actions gave the quarter a strong regulatory close. In May, Ofcom fined Youngtek Solutions £600,000 in total: £500,000 for failing to use highly effective age assurance and £100,000 for failing to respond properly to a formal information request. Youngtek operated four adult sites and was found to have failed its duties under the UK Online Safety Act.

On June 19, Ofcom also fined First Time Videos LLC £80,000 for not having age checks in place. Ofcom said sites hosting pornographic material must use highly effective checks to determine whether a user is over 18.

Why it (likely) happened

The providers did not have age checks in place during the periods reviewed, and Youngtek also failed to respond to a formal request on time. In other words, the problem was both the missing control and the weak evidence posture around compliance.

This is why age assurance is so important: age is a vital identity attribute when it controls access to content, products, or actions. A self-declared birth date may be fine for low-risk personalization, but it will not carry much weight when a regulator expects highly effective age assurance and a timely response to requests.

What to do to avoid a similar case

  • Map restricted actions first, then assign the required age-proof method to each action.

  • Keep age-decision records with method, result, policy rule, timestamp, market, and exception status.

  • Avoid self-declared age where the legal duty expects highly effective age assurance.

Staying one step ahead: trust the evidence behind the result

Instructure / Canvas showed how weak trust in account creation can create problems far outside the original signup path.
Carnival showed how staff access can become a route to passenger identity data.
France Titres / ANTS showed why correct personal data can lose proof value after exposure.

Looking at these cases as a whole, it becomes evident that identity signal integrity has a lot of weight in modern ID verification. And equally critical is having robust ID verification solutions that can secure this integrity.

Regula IDV Platform, for example, can manage the user's lifecycle from onboarding to ongoing verification and re-verification, and keep enough history and control around the decision. 

In the context of this quarter’s incidents, the most relevant capabilities are:

  • Built-in checks plus identity orchestration and workflow management: document verification, biometric verification, liveness, age verification, AML screening, device, IP, geo, and session checks can run in one managed process.

  • Fraud and presentation attack resistance: verification can be strengthened against presentation attacks, camera injection, replay attempts, emulators, synthetic media, and other bypass techniques.

  • Risk-based routing: users can be sent through lighter or stricter workflows depending on the action, market, user history, device context, and quality of the submitted evidence.

  • Profile history for returning users and account recovery: documents, biometrics, attachments, device attributes, session data, and past verification events stay tied to the user profile.

  • Configurable verification process: businesses can choose which checks to include, from document verification and biometrics to manual review.

  • Privacy-conscious deployment and access control: on-premises and private-cloud deployment options, along with role-based and attribute-based access control, help customers keep sensitive data protected.

Curious about how Regula IDV Platform can help your business? Let’s talk!

Book Your Discovery Call

Let’s talk about making your ID verification faster, smarter, and fully integrated.

On our website, we use cookies to collect technical information. In particular, we process the IP address of your location to personalize the content of the site

Cookie Policy rules