About a million passports and photo IDs were left unprotected online

Typing a few letters and numbers into my browser, I find myself looking at documents from strangers. A German girl’s passport. Passport of a man from Spain with glasses on his head. The front and back of someone’s driver’s license, his face is very ugly.

They were all sitting unsecured on public URLs, with no passwords or controls of any kind. If I send you a link, you can check someone’s passport.

“We have to act as quickly as possible, because people will find this and sell it again. It will destroy,” Sammy Azdoufal told me in May.

Azdoufal is a security researcher who used Claude Code to help figure this out each DJI Romo robot vacuum cleaner and million baby monitors and security cameras it was embarrassingly easy to hack. During this time, they are said to have found more than 985,000 IDs sitting online for any decent hacker to steal.

If you visited a cannabis club in Spain, Azdoufal says, chances are your photo ID was among them — and maybe your phone number, address, favorite types of marijuana, and how much you consumed each month while you were there. Azdoufal says the famous people in the database, too, are visitors from all over the world, including 30,000 from the United States. Azdoufal said: “They have famous people. People who don’t want anyone to know they smoke weed.”

Here is a brief summary of the users that Azdoufal’s automated tool was able to see, and the names of some clubs:

It is not the clubs that have not protected these documents. An Irish company called Cannabis Club Systems (CCS), known as Nefos Solutions, develops and supplies the software that these clubs use for sales, accounting, and admissions, including the authentication system where the receptionists put your IDs and your selfies on the Nefos cloud.

Traditionally, you had to present a photo ID every time you wanted to enter the club. But with an authentication system, the host can pull up your encrypted documents and check if your face matches. There is also an optional app called PuffPal that allows clubs to scan a QR code for quick entry.

But when Azdoufal hacked the PuffPal program, he explains in his reportfound that Nefos did not have enough protection. They found the private key of Stripe’s payment platform that was embedded within the app in plain text. He realized that he could raise the profile of each member by changing one number. If the records included their phone number, home address, passport, and weed preferences, they now had a chance to retrieve them.

Then, they discovered that passports, driver’s licenses, and photo IDs are stored on public URLs as simple as this: https://ccsnubev2.com/v8/images/_{club}/ID/{user_id}-front.jpg

Those clubs were uploading 5,000 new IDs with these insecure URLs every day, Azdoufal tells me.

They also discovered a public internet portal – and that cannabis clubs had little security for their accounts, using passwords that could be cracked in minutes with a modern GPU. Private chats between clubs and members via the PuffPal app were also vulnerable.

The good news: almost a month after we arrived at Nefos, the company seems to be taking action. The company says it is shutting down its entire PuffPal system and vulnerable APIs until it is fixed – in Azdoufal’s latest test on June 10, passport photos and personal information appear to be safe. Nefos has also notified the authorities, and says it will take responsibility for repairs, pay fines, and inform users of what happened.

In a phone interview, Nefos co-founder Andreas Nilsen says Seaside that they will contact Ireland’s Data Protection Authority (DPC) about the data breach – a fact DPC spokesperson Evan O’Leary confirmed to us via email. “We need to contact everyone who can be exposed,” Nilsen told me, saying he hoped the DPC could show his company how to do it better. Nilsen says there is currently no evidence that anyone outside of the country got this information except Azdoufal.

But it took a long time for Nefos to become a serious threat. It took five days and threatening news before the company responded, long after Azdoufal reached out. Then, Nefos started and filled in the holes instead of risking the business.

I planned to write this article at the beginning of June, when Azdoufal told me that Nefos had closed passport photos. But on June 4, I surprised Azdoufal by showing him that his passport was online again, without any security.

That’s because Nefos hadn’t stopped cannabis clubs from using the PuffPal app, and the clubs were complaining that the locked images weren’t showing how they were doing – so Nefos just re-opened the images. Although Nilsen says the images have been closed “70 percent of the time” since Azdoufal and I contacted each other, it’s clear that Nefos has made a decision to prioritize its customers over threats.

On June 9th, Azdoufal discovered that even though Nefos had blocked passport photos and photo IDs and badges, everything else in user profiles were still easily accessible: passport numbers, phone numbers, email addresses, home addresses, everything.

All the hacker has to do is type “curl -X POST https://ccsnubev2.com/v8/api/userProfile.php -d “user_id=(NUMBER)&(CLUB NAME)=test&language=en” in the command line, and the servers will freely leave personal information. When we brought this back, Nefos closed.

But how careless can a company be? “I don’t want to blame others because at the end of the day they are with us,” says Nilsen. But they point the finger to 9 seriesthe outsourcing company it claims was responsible for developing the PuffPal app and creating all the insecure APIs it used to pull unsecured data from the Nefos user database. (9Series did not have a response by press time.)

Now that PuffPal is down, Nefos is emailing each club to let them know that their members can’t use QR codes to log in — but they can still generate IDs from Nefos’ servers after scanning a member’s RFID card or typing in their phone number, among other examples.

Nilsen says his company will not reintroduce the unprotected PuffPal if clubs ask. “We will tell them we can’t,” he says. “We will make sure, after the debate, that this has been verified by an independent researcher and confirmed that this is 100 percent safe.” It is said that Nefos is different from the 9Series, and they hope to have a new software within a few months.

Nilsen says he knows that under EU lawhis company was legally required to disclose the violations within 72 hours or pay a large fine, which the company did not do.. “I’m sure we’re going to get any kind of punishment,” Nilsen says.

Last month, a website called the UK Visa Portal similarly they uncovered at least 100,000 passports to anyone who can suggest a link. We hope this is a wake-up call.