Cannabis club software exposed 985,000 passports online

Nearly one million passports, driver's licenses, and photo IDs were accessible at public URLs without any password protection, according to security researcher Sammy Azdoufal. The exposed documents belonged primarily to visitors of cannabis clubs in Spain that use software from Irish company Cannabis Club Systems, formally known as Nefos Solutions.

Azdoufal discovered the vulnerability in May 2026 while examining the PuffPal app, which cannabis clubs use to verify member identities. By decompiling the application, he found identity documents stored at URLs as simple as https://ccsnubev2.com/v8/images/_{club}/ID/{user_id}-front.jpg — accessible to anyone who knew the pattern.

The exposed data included not just passport images but also phone numbers, home addresses, and in some cases, information about cannabis consumption habits. Azdoufal's analysis identified over 985,000 photo IDs in the system, including documents from 30,000 U.S. visitors and multiple celebrities. Cannabis clubs were uploading approximately 5,000 new photo IDs daily to these insecure URLs, according to the researcher.

Why it matters

This breach illustrates how third-party software vendors can create cascading security failures across entire industries. When a single platform provider implements inadequate security controls, hundreds of businesses and nearly a million individuals face identity theft risk through no fault of their own. The incident also highlights regulatory gaps: despite EU law requiring breach disclosure within 72 hours, Nefos took weeks to respond and initially prioritized business continuity over security.

Delayed response and partial fixes

Nefos cofounder Andreas Nilsen told The Verge the company took five days to respond to initial contact, only replying after journalists threatened to publish. Even after acknowledging the problem, Nefos initially applied superficial fixes rather than shutting down vulnerable systems.

On June 4, Azdoufal discovered his own passport was once again exposed online. Nefos had temporarily secured the images but unlocked them again after cannabis clubs complained about functionality issues. Nilsen claimed images were protected "70 percent of the time," but the company clearly prioritized customer satisfaction over data security.

As late as June 9, user profiles remained vulnerable through a simple command-line query that exposed passport numbers, contact information, and addresses — even after photo access was restricted. The company has now shut down the entire PuffPal system and its vulnerable APIs pending a complete security overhaul.

Security failures across multiple layers

Azdoufal's investigation revealed systemic security problems beyond exposed URLs. The PuffPal app contained a Stripe payment platform secret key in plain text. User profiles could be accessed by simply incrementing a number in API requests. An admin portal was accessible via the public internet, and cannabis club accounts used passwords weak enough to crack in minutes with modern hardware.

Nilsen attributed the vulnerabilities to 9Series, an outsourcing firm that developed the PuffPal app and its APIs. However, he acknowledged ultimate responsibility rests with Nefos. The company has contacted Ireland's Data Protection Commission about the breach and expects significant fines for failing to meet the 72-hour disclosure requirement under EU law.

Nefos plans to engage an independent security researcher to verify fixes before relaunching any member-facing applications. The company is parting ways with 9Series and estimates a new secure app will take several months to develop.

The incident follows a similar May 2026 breach at UK Visa Portal, which exposed at least 100,000 passports through guessable URLs. These details were first reported by The Verge.