One Million Passport Records Reported Leaked Online From Cannabis-Club App

Identity-data exposures continue at scale. A cannabis-club membership platform reportedly left nearly a million passports and ID photos reachable on the open internet with no password — a consumer-notification story for the week.

Share
Flat white line-art of a passport booklet beside a few scattered ID cards, on a Brick Rust background — one million passport records reported leaked online.

Key Takeaways

  • Security publications reported on or around June 28, 2026 that a backend platform serving cannabis social clubs — CCS Nube, tied to the PuffPal membership app and operated by the company Nefos — left more than a million member records and roughly 985,000 identity-document photographs reachable on the public internet with no authentication, according to a researcher's disclosure amplified by Schneier on Security.
  • Researcher Sammy Azdoufal reported counting 1,082,680 member records and roughly 923,543 passport or national-ID numbers stored at predictable, unauthenticated URLs, alongside home addresses, phone numbers and dates of birth; the figures come from a single researcher write-up corroborated by mainstream reporting rather than from an official disclosure.
  • Nefos has confirmed it is in contact with Ireland's Data Protection Commission and acknowledged it did not report the exposure within the 72-hour window the EU's GDPR requires, putting consumer notification and regulatory follow-up — not a sophisticated intrusion — at the center of the story.

Identity-data exposures continue at scale. A cannabis-club membership platform reportedly left nearly a million passports and ID photos reachable on the open internet with no password — a consumer-notification story for the week.

DUBLIN — Security publications on or around June 28, 2026 reported that a software platform used to manage membership of cannabis social clubs left more than a million member records — including roughly 985,000 photographs of identity documents and some 923,000 passport or national-ID numbers — reachable on the open internet with no password, according to a researcher's disclosure that was amplified by Bruce Schneier's widely read security blog. The originating service was identified as CCS Nube, a backend tied to the PuffPal membership app and operated by the company Nefos. The exposure was characterized as a misconfiguration rather than a sophisticated intrusion: the records, reporting indicates, sat at predictable web addresses that returned full profiles to anyone who sent a basic request.

The account is, at the brief stage, a consumer-notification and regulatory-follow-up story rather than a confirmed breach with attribution. The figures originate from a single researcher's technical write-up, corroborated by mainstream technology reporting, and the most consequential downstream questions — who gets notified, by whom, and on what timeline — remain in motion. It lands alongside a run of recent identity-document exposures The CyberSignal has tracked, from a UK visa portal that spilled applicants' passports and selfies to a prison phone-service vendor that exposed 300,000 drivers' licenses.

At a Glance
FieldDetails
WhatReported exposure of passport and ID-document records on the open internet
Scale1,082,680 member records; ~985,000 ID photographs; ~923,000 passport/national-ID numbers (per researcher)
Originating sourceCCS Nube backend tied to the PuffPal cannabis-club app, operated by Nefos
CountryMembers across multiple countries; Nefos is Ireland-based; clubs operate across Europe
MRZ includedNot confirmed
Authority responseNefos in contact with Ireland's Data Protection Commission; missed GDPR 72-hour window
StatusReported via researcher disclosure; consumer notification pending

What the Publication Documented

The thread was picked up by Schneier on Security, which framed the episode in a single observation: "a high-value credential — a passport — was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it's the low-value system that got hacked, putting the high-value credential at risk." Schneier's post pointed onward to the underlying technical disclosure, a researcher write-up published to GitHub by Sammy Azdoufal, a French security researcher who said he discovered the exposed records after joining a cannabis social club in Barcelona and decompiling the club's app.

According to that disclosure, the backend platform — identified as CCS Nube and tied to the PuffPal membership app operated by the company Nefos — assigned members sequential identification numbers and returned full member profiles to anyone who sent a basic web request. The researcher reported counting 1,082,680 member records, roughly 923,543 passport or national-ID numbers, and 985,841 identity-document photographs, all stored at predictable, unauthenticated web addresses. Profiles were said to also include home addresses, phone numbers, dates of birth and consumption-related details.

Several characterizations in the account remain at the level of a single researcher's analysis corroborated by mainstream reporting, rather than an official, fully audited disclosure. The CyberSignal is therefore describing the counts and mechanics as reported. What is not in dispute is the shape of the failure as documented: identity documents collected for an age- and membership-verification purpose were, according to the disclosure, reachable without any access control — the kind of exposure that turns a record count into a notification obligation.

Consumer-Notification Awareness

For the people whose documents were reportedly exposed, the practical question is notification — and that is where the account becomes a consumer-facing story rather than a purely technical one. Nefos has acknowledged, in comments reported by mainstream technology press, that it is in contact with Ireland's Data Protection Commission and that it intends to communicate with everyone potentially affected. The company has also conceded that it did not disclose the exposure within the 72-hour window the EU's General Data Protection Regulation requires, a gap that itself shapes how and when affected members learn what happened.

Individuals who used a cannabis-club membership app that relied on uploading a passport or national ID should treat this as a prompt to stay alert for direct notification from the operator and to monitor for misuse of the specific document they submitted. Where a passport image and number are exposed together, the durable risk is identity impersonation and document fraud rather than a quick password reset; the mitigations — vigilance against fraudulent applications opened in one's name, and, where a jurisdiction allows, requesting a replacement document — are slower and more deliberate than the steps that follow a leaked password.

The broader awareness point is that identity-document exposures rarely arrive with a clean, centralized notification. When the holder of the data is a small operator rather than a major institution, affected people may first hear about an exposure through press coverage — as here — rather than through a letter. That dynamic is precisely why a consumer-notification framing matters: it shifts attention from the headline number to the concrete obligation to inform a million individuals, across multiple countries, that a document tied to their identity was reportedly left in the open.

Sector-Advisory Implications for Identity-Data Exposures

The structural lesson here is one that runs through a growing list of identity-data incidents: collecting a high-assurance credential for a low-stakes purpose concentrates risk in whoever ends up storing it. A cannabis social club needs to confirm that a prospective member is an adult; a passport scan is an exceptionally heavyweight way to answer that question, and once collected it becomes a liability that must be defended to a far higher standard than the underlying transaction warrants.

This pattern is not unique to one sector. The CyberSignal has documented a steady cadence of exposures in which identity documents collected for verification became the loss — a UK visa portal that left applicants' passports and selfies reachable, a prison phone-service vendor that exposed roughly 300,000 drivers' licenses, and a hospital system that exposed 1.8 million biometric fingerprint records. The common thread is that the most sensitive data is often held not by the organization a consumer thinks they are dealing with, but by a third-party platform or vendor several steps removed.

For organizations that build or buy identity-verification systems, the advisory reading is conventional but worth restating against this case: minimize what is retained after a check completes, place access controls in front of any store of identity documents, avoid predictable or sequential identifiers that let an enumerator walk a dataset, and treat document images as among the highest-sensitivity assets in the estate. The reported failure mode here — sequential IDs returning full profiles at unauthenticated URLs — is exactly the kind of design choice a security review is meant to catch before a million records accumulate behind it.

Open Questions

Several specifics remain unconfirmed at the reporting stage, and the brief is deliberately conservative about them. The headline counts originate from a single researcher's write-up; while corroborated by mainstream reporting and amplified by a respected security commentator, they have not been independently audited in an official disclosure. The precise breakdown of affected nationalities, the exact number of distinct individuals as opposed to records, and whether full machine-readable-zone (MRZ) passport fields were present alongside the document images are not established in the material reviewed and are marked as not confirmed.

Also open is the regulatory trajectory. Nefos's acknowledgment that it missed the GDPR 72-hour notification window, and its stated contact with Ireland's Data Protection Commission, point toward a formal regulatory process, but any finding, penalty or required remediation lies ahead. The mechanics of notifying potentially affected members across multiple jurisdictions — who is contacted, in what order, and with what guidance — are likewise unresolved.

What is firmly established is enough to treat the episode as a consumer-notification story now: a membership platform that collected passports and national IDs for verification reportedly left those documents reachable on the open internet, the operator has conceded a notification failure, and a data-protection regulator is engaged. For readers, the durable takeaway is the one the case illustrates so plainly — every place a passport is uploaded becomes a place it can leak, and the safest exposure is the data a service never collected or kept in the first place.


Sources

TypeSource
PrimarySammy Azdoufal — CCS Nube / PuffPal disclosure (GitHub)
ReportingThe Verge — Passports data breach: cannabis club systems, Nefos, PuffPal
AnalysisSchneier on Security — One Million Passports Leaked Online
RelatedThe CyberSignal — UK Visa Portal Passport and Selfie Leak
RelatedThe CyberSignal — Pay Tel Prison Phone Service 300,000 Drivers' Licenses Exposed
RelatedThe CyberSignal — NYC Health + Hospitals 1.8 Million Biometric Fingerprints Breach