Why You Should Never Post Your ID, Ticket or Boarding Pass Online

Category: Social Media Safety | Reading Time: 10 minutes

IN THIS ARTICLE

1. Why this feels harmless but is not

2. What information is hidden inside a boarding pass

3. What a stranger can do with your boarding pass data

4. Why posting your ID or passport is even more dangerous

5. Other documents people post without realising the risk

6. Real cases where this went wrong

7. What to do instead — safe ways to share travel moments

8. Frequently asked questions

You have just checked in for a flight. You are excited. You take a photo of your boarding pass and post it on social media with a caption about your upcoming trip. Millions of people do exactly this every single day.

What most of those people do not know is that the barcode or QR code printed on that boarding pass contains far more personal information than what is visible to the naked eye — and that anyone with a free app on their phone can extract every detail from it in under thirty seconds.

The Federal Trade Commission (FTC) warns that identity theft begins with small pieces of personal information — and that documents like boarding passes, identity cards, and tickets routinely contain enough detail to give a criminal a significant head start.

https://consumer.ftc.gov/identity-theft-and-online-security/identity-theft

The UK's Information Commissioner's Office (ICO) is equally direct in its online safety guidance, warning that once personal information is posted online you lose control of it entirely — and that this can pose a risk not just to your privacy but to your personal safety.

https://ico.org.uk/for-the-public/online/social-networking/

This article explains exactly what is at risk, why it matters, and what you can do to share your travel excitement without compromising your security.

Why This Feels Harmless but Is Not

Documents like boarding passes, event tickets, and identity cards look like pieces of paper with a few obvious details — your name, a flight number, a date. Most people assume that is all they contain.

In reality, these documents — particularly their barcodes and QR codes — are dense packages of encoded personal data. What is visible on the surface is only a fraction of what the document actually contains.

The UK's National Cyber Security Centre (NCSC) warns that criminals actively use information shared on social media to build profiles of their targets — and that reducing what personal information you make publicly available is one of the most effective steps you can take to reduce your exposure to phishing, identity theft, and fraud.

https://www.ncsc.gov.uk/collection/phishing-scams

The problem with posting these documents online is not simply that someone might see your name. It is that the combination of data encoded in the document — combined with what is already visible on your social media profile — gives a criminal enough information to cause serious harm.

What Information Is Hidden Inside a Boarding Pass

A boarding pass barcode looks like a meaningless pattern of lines or squares. But it contains a standardised package of data that anyone can decode using a free barcode scanner — no specialist knowledge required.

Cybersecurity researcher Brian Krebs documented this risk in detail after a reader decoded a friend's boarding pass barcode that had been posted publicly on social media. Using nothing more than a free online barcode reader, the reader was able to extract the following information from the barcode alone:

https://krebsonsecurity.com

The passenger's full name.

Their frequent flyer number.

Their booking reference number, also known as the Passenger Name Record or PNR.

Their seat number and class of travel.

Their complete itinerary including all connected flights.

Their contact details registered with the airline.

With the booking reference number and the passenger's surname — both encoded in the barcode — Krebs's reader was able to log into the airline's website and access the passenger's full account. From there they could see all future bookings on the account, change seat assignments, cancel flights, and potentially reset the account PIN.

CBS News reported on this research, confirming that the barcode data on a boarding pass is enough to give a stranger access to a passenger's travel account — and that this vulnerability exists on passes from major international carriers.

https://www.cbsnews.com/amp/news/information-on-boarding-pass-barcodes-poses-personal-security-risk

This is not a theoretical risk. It is a practical one that requires nothing more than a smartphone and thirty seconds.

What a Stranger Can Do With Your Boarding Pass Data

Once someone has your booking reference number and name — both of which are encoded in your boarding pass barcode — a range of harmful actions become possible.

Cancel or Modify Your Flight

Using the booking reference and your name, anyone can access your reservation through an airline's online check-in portal. They can change your seat to a less desirable one, downgrade your class of service, change the return flight date, or cancel the booking entirely. You may not discover this until you arrive at the airport.

Access Your Frequent Flyer Account

Your frequent flyer number, encoded in the barcode, combined with the booking reference can in some cases allow access to your loyalty account. Points accumulated over years of travel can be redeemed or transferred without your knowledge.

Gain Personal Contact Information

Airlines store contact details — phone numbers and email addresses — linked to each booking. This information, accessible through the booking reference, can be harvested and used for targeted phishing attacks, scam calls, and spam.

Build a Profile for Identity Theft

The combination of your full name, frequent flyer number, email address, travel itinerary, and date of birth — all potentially encoded in or associated with a booking — gives an identity thief significant material to work with. The FTC's identity theft guidance makes clear that criminals rarely need a complete set of documents to begin committing fraud — partial information is frequently enough to open accounts, make purchases, or commit fraud in a victim's name.

https://consumer.ftc.gov/identity-theft-and-online-security/identity-theft

Know Exactly When Your Home Is Empty

This is the risk most people overlook entirely. A boarding pass posted publicly tells anyone watching your social media not just where you are going, but when your home will be unoccupied. Combined with your location information on social media — your city, your neighbourhood, your home that has featured in the background of previous posts — it provides a precise window of opportunity for a physical break-in.

The NCSC specifically warns in its guidance for individuals that information shared on social media — including travel plans — can be used by criminals to plan targeted attacks, whether digital or physical.

https://www.ncsc.gov.uk/collection/defending-democracy/guidance-for-high-risk-individuals

Why Posting Your ID or Passport Is Even More Dangerous

If posting a boarding pass is risky, posting a photo of your identity card, driving licence, or passport is significantly more so.

These documents contain a concentration of personal information that identity thieves actively seek. A single photo of an identity document shared online can provide:

Your full legal name.

Your date of birth.

Your government identification number.

Your address.

Your physical description.

Your photograph.

Your document expiry date.

A machine-readable zone containing encoded personal data.

The ICO warns explicitly that personal information posted publicly online can be used in ways you did not intend and cannot control once shared — and that sensitive documents including identity papers warrant particularly careful handling.

https://ico.org.uk/for-the-public/online/social-networking

With the information on a single identity document, a criminal has enough to:

Apply for loans or credit in your name.

Open bank accounts using your identity.

File fraudulent tax returns to claim refunds.

Register a phone contract or utility account in your name.

Impersonate you in official communications.

The FTC reports that identity theft is one of the most commonly reported consumer crimes, with over a million reports filed annually — and that the theft of personal documents, whether physical or digital, is among the leading methods used to commit it.

https://consumer.ftc.gov/identity-theft-and-online-security/identity-theft

In India, the National Cyber Crime Reporting Portal regularly receives complaints of identity fraud originating from photos of identity documents that were shared on social media. Victims can report such fraud at cybercrime.gov.in or call the National Cyber Crime Helpline on 1930.

https://www.cybercrime.gov.in

Other Documents People Post Without Realising the Risk

Boarding passes and identity documents are the most commonly discussed examples — but they are far from the only ones. Other documents that people regularly post online, without realising the risk, include:

Event Tickets and Concert Tickets

Modern event tickets — including digital tickets — contain unique barcodes that are valid entry credentials. Posting a photo of a ticket barcode online can allow someone else to scan it and use it for entry before you do, leaving you locked out of an event you paid for.

Lottery Tickets and Scratch Cards

Lottery tickets contain a barcode and unique identifying numbers. Posting a photo of an unscanned winning ticket — even to share good news — allows anyone who sees it to attempt to claim the prize first.

Reward and Loyalty Cards

Loyalty card numbers and barcodes, posted online, can be used by others to redeem accumulated points. While the individual loss may seem small, the principle of protecting unique identifying numbers applies.

Prescription Labels and Medical Documents

Prescription labels contain your full name, address, doctor's details, and medication information. This data can be used for targeted fraud, particularly scams involving fake pharmaceutical products or insurance fraud.

Utility Bills and Bank Statements as Proof of Address

People sometimes post or share photos of utility bills and bank statements as proof of address for online transactions. These documents contain your full name, address, and account details — information that is extremely valuable for identity theft and should never be shared publicly.

Real Cases Where This Went Wrong

These are not hypothetical warnings. Documented cases confirm that this type of data exposure causes real harm.

Security researcher Brian Krebs documented the case of a person whose boarding pass was posted publicly on social media. A reader who came across the post used a free barcode scanner to access the person's full travel itinerary, frequent flyer account, and contact information — all without the original poster's knowledge. The full account is documented on Krebs's cybersecurity blog, which the cybersecurity community recognises as one of the most authoritative independent sources on real-world security incidents.

https://krebsonsecurity.com

Global News reported on security testing conducted at an international airport where researchers demonstrated how quickly and easily boarding pass barcodes could be decoded using a standard smartphone app. The researchers confirmed that the data extracted was sufficient to access airline accounts and modify travel reservations.

https://globalnews.ca/news/3927795/airline-boarding-pass-barcodes-can-pose-security-risk-to-passengers-expert

The FTC's identity theft database receives over a million reports annually, and documents shared on social media are consistently identified as a source of the personal information used by fraudsters to commit identity-related crimes.

https://consumer.ftc.gov/identity-theft-and-online-security/identity-theft

What to Do Instead — Safe Ways to Share Travel Moments

None of this means you cannot share your excitement about travel on social media. It means being selective about what you include in the photos you share.

Share After You Travel, Not Before

Posting holiday photos after you return home eliminates the risk of advertising an empty home to anyone watching. It also removes the risk of flight disruption from a stranger accessing your booking.

Crop or Cover the Barcode Before Posting

If you want to share a photo of your boarding pass or ticket, crop the image so that the barcode, QR code, and booking reference number are not visible. The visible details — your destination, the date, the airline — can be shared safely. The barcode must not appear in any photo posted publicly.

Never Share the Full Document

Even for photos shared only with friends or in private groups, avoid sharing the full, unedited document. Screenshots can be captured and reshared beyond your intended audience.

Review Your Privacy Settings

Confirm that posts containing any travel information are visible only to people you genuinely know and trust. The NCSC recommends reviewing privacy settings on all social media platforms regularly as a standard protective habit.

https://www.ncsc.gov.uk/collection/phishing-scams

Dispose of Physical Documents Properly

Physical boarding passes, tickets, and documents should be shredded — not simply thrown in a bin — before disposal. Brian Krebs specifically recommends shredding boarding passes, noting that the barcode is equally readable from a physical document found in a bin as from one photographed and posted online.

https://krebsonsecurity.com

Frequently Asked Questions

Can someone really decode a boarding pass barcode from a photo?

Yes. Free barcode and QR code scanner apps are available on every major app store. All that is needed is a clear photograph of the barcode. The decoding process takes seconds and requires no technical skill whatsoever.

What if I only shared the photo with friends and family?

Privacy settings on social media platforms can be changed, screenshots can be taken and reshared, and platforms themselves can experience data breaches. The ICO warns that once information is posted online, you cannot fully control what happens to it, regardless of the privacy settings you applied at the time of posting.

https://ico.org.uk/for-the-public/online/social-networking

Is it safe to share photos of tickets for events that have already passed?

The barcode on a past event ticket no longer has value as an entry credential — but it may still contain personal information including your name and booking details. As a general habit, it is safer not to share ticket barcodes publicly even after an event has taken place.

[H3] What should I do if I have already posted a boarding pass or ID document online?

Delete the post as quickly as possible. Log into your airline or travel account and change your password and PIN. If your government identity document was shared, monitor your financial accounts and credit report for unusual activity. In India, report any suspected identity fraud to cybercrime.gov.in or call 1930. In the US, report to the FTC at identitytheft.gov.

https://www.identitytheft.gov

Does this apply to digital boarding passes on my phone screen?

Yes. A screenshot of a digital boarding pass on your phone screen is just as risky as a photo of a printed one. The barcode is identical and equally decodable.

Is it safe to send a boarding pass photo to a family member privately?

Sending a photo privately to a trusted contact over an encrypted messaging platform carries lower risk than posting publicly. However, it is still best practice to crop out the barcode and booking reference number before sending, even in private messages — particularly on platforms that do not use end-to-end encryption.

Can this happen with QR codes on other documents?

Yes. QR codes on any document — tickets, loyalty cards, prescriptions, official letters — can be scanned and decoded. If a QR code appears on a document that relates to you personally, treat it with the same caution as a boarding pass barcode and do not share it publicly.

Related Articles

What Is "Social Engineering" and How Scammers Use It on You | CyberSafe

How to Identify a Phishing Email | CyberSafe

How to Report and Block Harassers on Social Media — A Complete Guide | CyberSafe

What Happens When You Sell Your Old Phone Without Wiping It | CyberSafe

The Bottom Line

A boarding pass, an identity document, or a ticket is not just a piece of paper or a digital image. It is a concentrated package of personal information that — in the wrong hands — can be used to cancel your flight, access your travel account, steal your identity, or signal to a criminal exactly when your home will be empty.

As the FTC, the ICO, the NCSC, and security researchers like Brian Krebs have all documented, the risk is real, it requires no specialist knowledge to exploit, and it begins the moment the image is posted.

The excitement of travel is absolutely worth sharing. Your boarding pass barcode is not.

Crop the barcode. Share after you return. Shred the physical document. And share this article with anyone who regularly posts travel documents online — because most people do not know the risk until it is too late.