> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.
I cannot imagine the level of fines under GDPR for leaking that much PII
Why can't verification simply be go to post office, clerk will affadavit that you presented correct ID via online form. Which could also do the photo lookup for good measure.
Store that fact in the computer. Good for one ID usage. Good for less critical stuff like this weed thing (versus say a visa application which may need to store).
The analogy is a nightclub bouncer checks your ID.
Well, see, for safety reasons we're not going to let consumers have those anymore. You could be doing all kinds of shenanigans, running LLMs locally like a pirate.
Not even needed many times, I was recently at an overseas airport that wanted you to scan your passport to log into the internet. Ya not happening. On another device I downloaded a "sample" passport image of a British passport, the first one on Google images, pointed the phone at the device screen. "This will never work" , he thought as he was immediately logged in.
All this stuff really hurts the people who follow the rules the most.
The lack of security is one thing, but why have they retained the information at all!
iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).
Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.
> Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
Might KYC laws and general CYA policies prefer to keep the proof of age? For instance to protect e.g. against a minor altering the date on their passport. Especially in such a regulated industry.
> Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.
Why do these systems hold onto user's data post verification?
Much as passports are very important for proving identity etc, people who travel have had their passport scanned, photographed or photocopied by pretty much every hotel they've stayed in. I'm not sure the shoebox in the backroom in Koh Samui with the photocopies in constitutes good storage hygiene protocols.
How that doesn't turn into rampant identity theft I don't know, or maybe it does? Not, happily, for me... yet.
> people who travel have had their passport scanned, photographed or photocopied by pretty much every hotel they've stayed in.
This. I hate it. People expect you to send your documents on messaging apps and god only knows where they end up. Unfortunately, I fear there's nothing we can do to stop this as govs enforce this kind of operations.
It's far worse than that. In a lot of cases when you pay on booking.com, they don't charge your card. Instead, they send all your information (including CVV) along to the hotel where they can charge you how they want. A hotel I visited in Austria, had my card details printed out on a piece of A4 paper.
> Zero password protection on document storage systems
>
> No encryption for sensitive identity verification data
>
> Public URL access with no authentication requirements
>
> No access logging or monitoring systems in place
Pretty much the bingo of secure storage, even CTF demos make it less obvious. Storing a document that they have no business keeping in the first place, with no security whatsoever.
So much of our information is being leaked nowadays that news like these don’t surprise me anymore…
I think everyone should understand that if they truly want something private, storing it offline or destroying it completely, are the only safer options.
Any sort of convenience to access said data, is a possible surface of attack.
I'm aware of another batch of leaked passports, from a few years ago.
A family member was booking a school tour, when he noticed the URL of the Travel CRM included an id number. Sure enough, the CRM would return all his details given only the (sequential) id number without a need for credentials: high resolution passport scan, and all the other details provided when booking an overseas trip.
He notified the CRM company, and that email was ignored. He emailed again, proposing disclosure, and the problem was silently fixed with no response.
A few months later he mentioned it to the school, along with the fact that he had followed up and had the vulnerability fixed. The school went straight into panic mode, called him to the principal's office and forced him to write a statement so they could refer him to the Feds. I intervened, explaining that he was the good guy who got the vulnerability fixed, and the problem was the school's, since they had supposedly vetted the CRM for security when choosing a tour company.
All of a sudden from the school's point of view there was no problem and no need to mention it to any of the people whose information had been disclosed, despite my insistence. The people still haven't been notified. The school did acknowledge that the family member had done the right thing and verbally thanked him, but would not put anything in writing.
The people involved in the tour had their details leaked, but there was nothing special about those people in the system, so realistically every person whose details were in that CRM had their details, including passports, leaked. It was a major travel CRM provider, so the number of people in the system would have been 6 or 7 figures.
The kicker is that the family member was employed by a software company that had the school system as a customer. The IT person who was responsible for vetting the travel CRM (and had verbally thanked him) arranged for the school system to phone his employer and deliver an ultimatum: that the family member be sacked or they would risk losing a customer. The family member got the sack.
Ahh so that's what they mean at the reception when they take photo of my ID and say "it's for the police". So that any police anywhere can freely download it at any time!
I have a real problem with the pretense posed by the article that the club has no blame. They should have understood the risk they were taking on by subcontracting a vendor to collect passports, and better vetted that vendor. Obviously the service provider was completely inept, but that doesn't absolve the fools using them.
I preach to my clients this sort of PII should be treated as a toxic, hazardous substance. Ideally don't touch it with a 10 foot pole, and if you can't help it then limit the scope, protect it with strong access policies that severely limit who can touch it (including encryption keys conservatively custodied), and securely delete it all as soon as possible.
Too many companies these days point you to shoddy third parties for some kind of functionality (e.g. book an appointment, perform KYC on you, host the online learning platform for your course, etc.), inappropriately foisting both a new business relationship on you that you never asked for along with their partner's terms of service that you have no bargaining power in negotiating.
This is a side-effect of the SaaS era, and the model is broken.
Processing such PII here with an external AI partner:
- last week, we had bug: I said: "couldnt you just re-run the same step with the same data again" - their answer: "we cant! look at paragraph XY in our GDPR agreement, we are deleting all input documents everything after it has been processed"
Very well implemented! :)
(though, I had to upload and re-initiate eveything again)
> the pretense posed by the article that the club has no blame.
Remember that these clubs are mostly small, local businesses. Their owners just don't have the technical sophistication to evaluate software security.
Or the clout to demand an audit.
53 comments
[ 2.7 ms ] story [ 67.3 ms ] thread> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.
I cannot imagine the level of fines under GDPR for leaking that much PII
Store that fact in the computer. Good for one ID usage. Good for less critical stuff like this weed thing (versus say a visa application which may need to store).
The analogy is a nightclub bouncer checks your ID.
So dystopian
Well, see, for safety reasons we're not going to let consumers have those anymore. You could be doing all kinds of shenanigans, running LLMs locally like a pirate.
iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).
Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.
https://boingboing.net/2026/06/28/a-million-passports-leaked...
Why do these systems hold onto user's data post verification?
How that doesn't turn into rampant identity theft I don't know, or maybe it does? Not, happily, for me... yet.
This. I hate it. People expect you to send your documents on messaging apps and god only knows where they end up. Unfortunately, I fear there's nothing we can do to stop this as govs enforce this kind of operations.
Pretty much the bingo of secure storage, even CTF demos make it less obvious. Storing a document that they have no business keeping in the first place, with no security whatsoever.
I think everyone should understand that if they truly want something private, storing it offline or destroying it completely, are the only safer options.
Any sort of convenience to access said data, is a possible surface of attack.
You would be surprised what some courts already count as hacking
At least we’re keeping the children safe though by verifying ages. It’s worth giving up privacy for that…
A family member was booking a school tour, when he noticed the URL of the Travel CRM included an id number. Sure enough, the CRM would return all his details given only the (sequential) id number without a need for credentials: high resolution passport scan, and all the other details provided when booking an overseas trip.
He notified the CRM company, and that email was ignored. He emailed again, proposing disclosure, and the problem was silently fixed with no response.
A few months later he mentioned it to the school, along with the fact that he had followed up and had the vulnerability fixed. The school went straight into panic mode, called him to the principal's office and forced him to write a statement so they could refer him to the Feds. I intervened, explaining that he was the good guy who got the vulnerability fixed, and the problem was the school's, since they had supposedly vetted the CRM for security when choosing a tour company.
All of a sudden from the school's point of view there was no problem and no need to mention it to any of the people whose information had been disclosed, despite my insistence. The people still haven't been notified. The school did acknowledge that the family member had done the right thing and verbally thanked him, but would not put anything in writing.
The people involved in the tour had their details leaked, but there was nothing special about those people in the system, so realistically every person whose details were in that CRM had their details, including passports, leaked. It was a major travel CRM provider, so the number of people in the system would have been 6 or 7 figures.
The kicker is that the family member was employed by a software company that had the school system as a customer. The IT person who was responsible for vetting the travel CRM (and had verbally thanked him) arranged for the school system to phone his employer and deliver an ultimatum: that the family member be sacked or they would risk losing a customer. The family member got the sack.
Find your rep at congress.gov. Email or mail them this article.
Check authbound.io
In another one I found all passports that had been scanned by a hostel in Bangkok.
I preach to my clients this sort of PII should be treated as a toxic, hazardous substance. Ideally don't touch it with a 10 foot pole, and if you can't help it then limit the scope, protect it with strong access policies that severely limit who can touch it (including encryption keys conservatively custodied), and securely delete it all as soon as possible.
Too many companies these days point you to shoddy third parties for some kind of functionality (e.g. book an appointment, perform KYC on you, host the online learning platform for your course, etc.), inappropriately foisting both a new business relationship on you that you never asked for along with their partner's terms of service that you have no bargaining power in negotiating.
This is a side-effect of the SaaS era, and the model is broken.
- last week, we had bug: I said: "couldnt you just re-run the same step with the same data again" - their answer: "we cant! look at paragraph XY in our GDPR agreement, we are deleting all input documents everything after it has been processed"
Very well implemented! :)
(though, I had to upload and re-initiate eveything again)
I've heard this phrasing a lot, but it's hard to believe when there are no consequences after a leak.
Remember that these clubs are mostly small, local businesses. Their owners just don't have the technical sophistication to evaluate software security. Or the clout to demand an audit.
Hah, author is funny.