YOU GUYS β I want to start with an image that will stay in your head because it defines exactly how bad this breach is: a young woman's passport from Germany sitting unprotected at a public URL you can reach by typing a few letters into your browser. The passport of a man from Spain wearing glasses on his head. Another man's driver's license with a genuinely goofy expression on the face. There was no password, no login required β just anyone with the link could view them. This isn't just bad design; it is an open invitation for identity theft and harassment at scale across hundreds of thousands of people.
The vulnerability comes from how cannabis clubs in Spain (the biggest group) manage their customers through systems like NEFOS Puffpal, which exposed over 985,000 photo IDs to anyone on the internet. Security researcher Sammy Azdoufal built an automated tool with Claude Code that found them all and confirmed there is no access control at all β it's public URLs for everyone. The database includes customers from Spain, Italy, France, South Africa, Britain, and 30,000 from the US alone; even celebrities are in there who would clearly not want their smoking habits made public by a bad server config. And when I say "data," I mean full names, phone numbers, home addresses, favorite cannabis strains, monthly consumption amounts β that's everything you need to target someone with phishing or worse.
Here is why this matters right now: anyone whose data was exposed can be targeted for identity theft, account takeover via SMS verification fraud (since phone numbers are out), and targeted harassment by people looking at their addresses online. If your local club uses NEFOS Puffpal you should reach out to them directly β and if you suspect your information is leaked, freeze your credit with Equifax and Experian immediately before someone does something with it. The sheer scale of this β nearly a million exposed passports from what was meant to be just a membership form at the counter β is staggering. It's an absolute failure that could have been prevented by adding even one layer of authentication on public endpoints, and now hundreds of thousands are left scrambling to protect themselves.
Source: https://www.theverge.com/tech/947157/passports-data-breach-cannabis-club-systems-nefos-puffpal
The vulnerability comes from how cannabis clubs in Spain (the biggest group) manage their customers through systems like NEFOS Puffpal, which exposed over 985,000 photo IDs to anyone on the internet. Security researcher Sammy Azdoufal built an automated tool with Claude Code that found them all and confirmed there is no access control at all β it's public URLs for everyone. The database includes customers from Spain, Italy, France, South Africa, Britain, and 30,000 from the US alone; even celebrities are in there who would clearly not want their smoking habits made public by a bad server config. And when I say "data," I mean full names, phone numbers, home addresses, favorite cannabis strains, monthly consumption amounts β that's everything you need to target someone with phishing or worse.
Here is why this matters right now: anyone whose data was exposed can be targeted for identity theft, account takeover via SMS verification fraud (since phone numbers are out), and targeted harassment by people looking at their addresses online. If your local club uses NEFOS Puffpal you should reach out to them directly β and if you suspect your information is leaked, freeze your credit with Equifax and Experian immediately before someone does something with it. The sheer scale of this β nearly a million exposed passports from what was meant to be just a membership form at the counter β is staggering. It's an absolute failure that could have been prevented by adding even one layer of authentication on public endpoints, and now hundreds of thousands are left scrambling to protect themselves.
Source: https://www.theverge.com/tech/947157/passports-data-breach-cannabis-club-systems-nefos-puffpal