Here’s a nightmare scenario I didn’t expect to see in 2026: nearly a million passports, national ID cards, and driver’s licenses — from dozens of countries — sitting on a public server with no password. Not behind a firewall. Not encrypted. Just… there. Waiting for anyone who knew the URL pattern to browse through.
The breach, first reported by security researcher Sammy Azdoufal and detailed by Sean Hollister at The Verge, exposed 1,082,680 member records from cannabis social clubs across Europe. Within that pile: 923,543 passport or national ID numbers, 985,841 ID photographs, home addresses, phone numbers, dates of birth, and even consumption habits. All from a platform called CCS Nube, built by an Irish company called Nefos Solutions.
The kicker? No one hacked anything. There was no sophisticated attack, no ransomware, no zero-day exploit. The database just… didn’t have authentication. Sequential member IDs meant anyone could type a number into a browser address bar and pull up a complete profile — passport photo and all.
Bruce Schneier nailed the structural problem in his analysis: a high-value credential (a passport) was collected by a low-value system (ID verification for cannabis clubs). And the low-value system got breached, putting the high-value credential at risk.
How a Cannabis Club App Exposed a Million Passports
The chain of failure here reads like a textbook case of what happens when security is an afterthought. Azdoufal joined a Barcelona cannabis social club and downloaded its companion app, PuffPal. After decompiling it, he found hardcoded Stripe payment keys, Firebase credentials, and — critically — no authentication on the backend API.
CCS Nube was the platform these clubs used for sales, accounting, and admissions. When a new member walked in, receptionists would photograph their passport or ID and upload it directly to the database. Those uploads were assigned sequential ID numbers. No encryption. No access controls. No audit trails.
Azdoufal reported the vulnerability on April 22. Nefos didn’t respond for 26 days — far past the GDPR-mandated 72-hour breach notification window. When they finally did act, they briefly locked down the image directory, then reopened it after affected clubs complained they couldn’t access their own systems.
The database was collecting roughly 5,000 new ID photos per day at the time of discovery.
Why This Matters Beyond Cannabis Clubs
This isn’t just about one irresponsible software vendor. It’s about a pattern that keeps repeating across industries: companies collecting identity documents they don’t need, storing them poorly, and facing zero consequences until a researcher stumbles onto the mess.
Think about how many times you’ve uploaded a photo of your passport or driver’s license in the past year. Age verification for online purchases. KYC checks for crypto exchanges. Remote work onboarding. Rental applications. Each one creates a copy of your most sensitive document, stored on someone else’s server — often with unclear retention policies and inconsistent security.
The Schneier comment thread made a pointed observation: in countries where cannabis use is criminalized, the exposed data isn’t just a privacy violation. It’s a potential death sentence. People who joined legal clubs in Spain or Germany now have their identities linked to drug use in databases accessible to foreign governments.
And here’s what should terrify every government IT professional: you can’t change a passport like you change a password. A leaked passport number stays compromised for the life of that document — typically 10 years. The affected individuals face elevated identity theft risk for a decade.
The Pattern Keeps Repeating
If this feels familiar, it should. We’ve seen nearly identical failures across different sectors:
- The Klue supply chain breach — a cybersecurity firm itself got breached, exposing data from its own clients. The irony was thick enough to write about at the time, and it illustrated how even security companies aren’t immune to basic failures.
- The UK visa portal leak (2024) — over 100,000 passport photos and selfies exposed through an age-gated verification system. Same pattern: high-value documents, low-value security.
- The Optus data breach (2022) — millions of Australian driver’s licenses exposed, forcing the company to pay for replacements. That case set a precedent for making breach companies bear the cost of identity restoration.
The thread connecting all these incidents is simple: identity verification systems are expanding faster than the security practices keeping them safe. More companies are collecting government IDs for age gating, KYC compliance, and fraud prevention. But the software handling those documents is often built by vendors with minimal security expertise, deployed by organizations that treat identity documents like just another data field.
What You Can Actually Do About It
If you’re reading this and thinking “my passport is probably in that database,” you’re not alone. Bill Dietrich, one of the commenters on Schneier’s blog, wrote that he suspects his passport is in the breach but hasn’t been notified — and the breach is already two months old.
Here’s the uncomfortable truth: there’s not much you can do to undo the exposure. But there are steps worth taking:
- Monitor your credit and financial accounts more closely than usual. Stolen passport data is used for identity theft, fraudulent loan applications, and SIM-swapping attacks. If you’re a developer, also audit your npm dependencies — supply chain attacks follow the same pattern of trusting third-party code with sensitive access.
- Consider a fraud alert with credit bureaus if you’re in an affected region. In the US, a free credit freeze through Equifax, Experian, and TransUnion takes about 15 minutes.
- Be skeptical of future ID verification requests. Before uploading your passport to a new service, ask whether they actually need it — or whether a less sensitive form of verification would work.
- Check the researcher’s GitHub repository (xn0tsa/because-i-got-high) for technical details if you want to understand the full scope.
The Bigger Lesson
For anyone building or managing systems that handle identity documents — and that includes every government IT department, every fintech startup, every age-gating platform — this breach is a wake-up call. Not because the vulnerability was novel. It wasn’t. Sequential IDs with no authentication is security malpractice from the early 2000s.
The wake-up call is that this kind of failure is still happening in 2026, years after we covered the Klue disaster and years after the Optus case, and years after the GDPR was supposed to make this kind of negligence expensive enough to prevent.
As someone who works in government IT, I think about this a lot. We’re tasked with protecting citizen data — the most sensitive information people have. And the gap between what we should be doing and what many organizations are doing remains dangerously wide. We face the same stakes when dealing with unpatchable hardware vulnerabilities — a flaw you can’t patch is a risk you carry forever.
The solution isn’t more regulation. It’s treating identity documents with the same care we treat classified information. Because in the wrong hands, a leaked passport isn’t just a privacy violation. It’s a tool for ruin.
Like I wrote when discussing the Klue breach: when the companies whose job is security can’t secure their own systems, the rest of us need to stop assuming someone else is handling it. This latest breach proves that point — again — with nearly a million passports as evidence. If you haven’t already, read how even the NSA’s classified systems weren’t immune when Anthropic’s Mythos breached them in hours. The lesson is the same: no system is too important to be left undefended.