Source linked

Nearly a Million Passports Exposed on Open Internet - No Password Needed

theverge.com@market_structure1 hour ago·Cybersecurity·1 comments

Security researcher Sammy Azdoufal found roughly 1M passport photos and IDs accessible via unprotected public URLs, belonging to users of a cannabis-club management system.

sammy azdoufalcannabis club systemsnefospuffpaldata breachidentity theft

Typing a few letters into my browser, I found myself staring at a young German woman's passport. Then a Spanish man's driver's license. Then the front and back of another guy's ID with a goofy grin. They were all sitting at public URLs — no password, no access control, nothing. Nearly a million of them.

Unsecured Cache Exposes Passport Photos

The trove belongs to customers of Cannabis Club Systems, the backend platform behind services like Nefos and Puffpal. Sammy Azdoufal, the security researcher who flagged the exposure, told me the data includes passports and photo IDs from multiple countries. "We have to do something about it as fast as possible, because people will find this and resell it. It will do damage," Azdoufal said.

Anybody who knew the right URL pattern could scrape the entire set. No authentication, no rate limiting — just raw identity documents ready for the taking. The sort of exposure that identity thieves and fraudsters dream about.

The Gaping Hole in Data Protection

This isn't a sophisticated hack. No zero-days, no SQL injection. The documents were stored in a publicly accessible object store, probably misconfigured S3 buckets or similar. Cannabis Club Systems collects sensitive KYC material — passports, driver's licenses — to verify ages for cannabis delivery and club memberships. None of it was encrypted at rest behind an auth wall.

Azdoufal discovered the leak during routine scanning. The scale is staggering: nearly a million unique identity documents. For context, that's roughly the same as the entire population of a city like San Francisco having their passports posted online.

What Happens Next

Azdoufal reported the issue to the companies involved. Taking the data offline is step one. But the damage is already done — once a passport photo hits the open internet, it gets scraped, copied, and traded on dark web forums within hours. The real question is how many of these IDs will end up used for synthetic identity fraud or loan applications.

Cannabis Club Systems needs to explain why KYC data was stored on a public URL in the first place. For everyone else, this is a reminder: if your app collects government IDs, treat them like the crown jewels — because they are, and the crown is already gone.

Source: Nearly a million passports and photo IDs were left unprotected on the public internet
Domain: theverge.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
ShinyHunters Claims Breach of 100+ Oracle PeopleSoft Instances

More than 100 organizations, mostly universities, reportedly hit by mass exploitation of enterprise HR software

CrowdStrike Links 47% of US Tech Hacks to North Korean Remote IT Worker Scheme

North Korean group Famous Chollima accounted for nearly half of all state-backed hands-on-keyboard intrusions at US tech companies from April 2025 to May 2026

84 Valid SLSA L3 Attestations TanStack Attack Blows Past Provenance

Attackers published 84 malicious npm packages under TanStack's identity with cryptographically valid SLSA Build Level 3 attestations-because the build platform itself was compromised, not the attestation chain.

ServiceNow Bug Exposed Customer Data Without Any Login Required

A bug in ServiceNow's platform let unauthenticated users access customer instances; the June 5 patch fixes it, but the exposure scope remains unknown.

Comments load interactively on the live page.