The year's most unusual security breach didn't come from a bank or a government agency. It came from an app for managing cannabis club memberships. So absurd. Nearly 985,000 official identification documents, including passports, driver's licenses and identification photographs, were exposed on public Internet URLs without any type of password, encryption or access restriction.

The discovery was made by security researcher Sammy Azdoufal, who, when analyzing the PuffPal app – developed by the Irish company Nefos Solutions and used by cannabis clubs mainly in Spain – found that users' identity images were stored in predictable and completely open web addresses.

As journalist Sean Hollister of The Verge described it, all you had to do was type a few characters into a browser to find yourself face to face with a German woman's passport, a Spanish man's ID photo, or the front and back of someone's driver's license. Keyless. No access tokens. Without any barrier. If someone sent you the link, you could see a stranger's passport as easily as entering any website.

The technical error that made it possible

The cause of the disaster was neither a sophisticated hack nor a social engineering attack. It was something much more basic and, for that reason, much more shameful. Azdoufal discovered that Nefos' backend system, called CCS Nube, used sequential user indexing and did not apply any basic layer of protection on stored files. In their own words: “There was no authentication token, no session cookie, no API key.”

To make matters worse, the researcher also found within the code of the PuffPal app a Stripe secret key stored in plain text, which would have allowed anyone with minimal knowledge to directly access user payments. The platform's administration portal was exposed on the public web and protected with passwords so weak that a modern GPU would have cracked them in minutes. It was not a vulnerability hidden deep in the system. It was a door wide open.

The reach was enormous. It is estimated that the breach affected members in more than 40 countries, including some 30,000 US citizens. Spain was the most affected country, followed by South Africa with more than 88,000 people exposed. And most disturbingly, while the data remained open, approximately 5,000 new documents were added every day.

What Nefos did (and didn't do) when notified

This is where the story gets even more uncomfortable. According to reports, Azdoufal discovered the vulnerability in April 2026 and sent four emails to the company over 26 days without receiving any response. It had to be the threat of publishing an article in The Verge that finally moved Nefos to act.

The company's response was clumsy and contradictory. They first closed access to the images, then opened it again on June 4 because some clubs complained about not being able to see their members' photos. It was not until June 10 that the platform was completely blocked, when Nefos made the decision to cut off the entire PuffPal system and break with the provider that had developed it.

Co-founder Andreas Nilsen publicly acknowledged that fines are coming, given that the European Union's General Data Protection Regulation (GDPR) requires reporting such incidents within a maximum of 72 hours.

The real implications for those who were exposed

Having your data in a hacked database is already serious. But having your passport, your verification selfie, and your cannabis use history all in a public URL without a password is a nightmare scenario with very concrete consequences.

Identity theft is the most immediate risk. With a passport and a photograph, a criminal can open bank accounts, apply for credit, register companies or even cross borders with falsified documentation. But there is an additional layer of vulnerability in this particular case: The leaked data includes not only the identity of the people but also their history of using controlled substances.

The combination of an official document, a photograph and a record of cannabis consumption is, as the case analysts themselves described it, “an explosive cocktail for extortion and identity theft that can last for years.”

What became evident with this incident is a structural problem that is repeated over and over again in the technology industry: companies that collect sensitive data to comply with legal requirements do not always have the capacity or the will to adequately protect it. Age verification is mandatory in regulated cannabis markets in Europe, but that legal obligation is not accompanied by minimum technical standards for the storage of collected documents. The result is that thousands of people who simply followed the rules to access a legal service now have their most sensitive data floating on the internet.

This case is not the first of its kind in the cannabis industry. In 2020, the company THSuite exposed the data of 30,000 US customers in an unencrypted Amazon Web Services bucket.

In 2025, the Stiiizy brand suffered a breach that compromised passports and photographs of more than 420,000 customers. The industry has been collecting these types of incidents for years without any generating a real change in security practices. The question that remains on the table is simple and has very complicated answers: how many more breaches are needed before companies treat identity data with the level of seriousness it deserves?

This news has been tken from authentic news syndicates and agencies and only the wordings has been changed keeping the menaing intact. We have not done personal research yet and do not guarantee the complete genuinity and request you to verify from other sources too.