PuffPal identity – A security researcher found more than 985,000 photo IDs and passport images from cannabis clubs were stored at public URLs with weak access controls in Nefos’ PuffPal verification system. After months of scrutiny, Nefos says it shut down PuffPal and related AP
By the time a web browser loaded, the damage was already visible.
Typing a few letters and numbers into the address bar. a security researcher says he could open passport and photo ID images belonging to strangers—documents left sitting at public URLs with no password or access control. In one example he describes. he could view the front and back of a driver’s license. along with passport images of people from Germany and Spain.
The finding wasn’t limited to an isolated system. The researcher, Sammy Azdoufal, says he discovered more than 985,000 photo IDs exposed on the public internet—enough, he warned, for someone to find them and resell them.
Azdoufal first gained attention earlier in his career for using Claude Code in connection with an investigation into how easily other consumer devices could be hacked. including DJI Robo robot vacuum cleaners and baby monitors and security cameras. This time, he says his focus was on cannabis clubs’ identity-verification software.
If you’d visited a cannabis club in Spain, Azdoufal says, your photo ID was likely among them. He also says the exposed database could include phone numbers. home addresses. passport details. “favorite strains of cannabis. ” and how much people consumed each month. He adds that celebrities were in the database too—people. he says. who may not want everyone to know they smoke weed. He also says visitors from outside Spain were affected, including 30,000 people from the United States.
The software behind those clubs isn’t something the clubs built themselves. An Irish company called Cannabis Club Systems (CCS). formally Nefos Solutions. develops and provides the software used by cannabis clubs for sales. accounting. and admissions—along with a verification system where receptionists upload a user’s ID and selfie to Nefos’ cloud.
That setup normally works like this: staff can require a photo ID for entry, and with verification, a receptionist can pull up stored identity documents and check whether a face matches. There’s also an optional app called PuffPal, designed to scan a QR code for faster entry.
But Azdoufal says he decompiled PuffPal and found that Nefos had “no meaningful level of security.” In his account. a secret key for the Stripe payments platform was sitting in the app in plain text. He also says he could pull up any member’s profile just by changing one number. If those profiles included data such as phone numbers. home addresses. passport details. and weed preferences. then that meant the personal information could be accessed as well.
Then came the part that made the exposure instantly clear: Azdoufal says he found passports, drivers licenses, and photo IDs stored at public URLs. One example he provides follows the pattern:
https://ccsnubev2.com/v8/images/_{club}/ID/{user_id}-front.jpg
He says the clubs using the system were uploading 5,000 new photo IDs to those insecure URLs every day.
Azdoufal also says he found an admin portal accessible via the public internet. He adds that cannabis clubs themselves were using a trivial level of security on their own accounts. using passwords that could theoretically be cracked in minutes with a modern GPU. He says private chat messages between clubs and members through PuffPal were also vulnerable.
The human cost of those failures is simple: people’s identities weren’t treated like private data.
Nefos later acted, but not at the pace that would have prevented exposure.
The company says that roughly a month after contact, it shut down its entire PuffPal system and vulnerable APIs until they can be fixed. In Azdoufal’s latest tests on June 10, Nefos says passport images and personal data appear to be secure.
Nefos says it informed local authorities and will take responsibility for the fixwork—paying fines and telling users what happened. In a phone interview. Nefos co-founder Andreas Nilsen told The Verge that he is in touch with Ireland’s Data Protection Authority (DPC). a fact confirmed by email to us by DPC spokesperson Evan O’Leary.
Nilsen said he’s focused on communicating to everyone who might have been exposed. He also claimed there is currently no evidence that any outsider accessed the data other than Azdoufal.
Still, the timeline Nefos followed drew sharp criticism. The researcher says it took five days and the threat of a story before the company replied after he reached out.
Nefos also began by papering over holes rather than removing the risk.
Azdoufal told the reporter earlier that Nefos had finally locked down passport images. But on June 4, the researcher says he was shown his own passport was online once again, without protection.
The explanation. according to the account: Nefos hadn’t stopped cannabis clubs from using PuffPal. and clubs complained the locked-down images weren’t showing up the way they used to. The company. Nilsen later says. had locked images down “70 percent of the time” since the reporter and Azdoufal got in touch. but the exposure still returned when clubs needed the old behavior.
On June 9, Azdoufal says he found that even after tokens were used to lock down passport images and photo IDs, other information in user profiles remained easily accessible—passport numbers, phone numbers, email addresses, and home addresses.
He describes a simple method for retrieving personal data by sending a command like “curl -X POST -d “user_id=[NUMBER]&[CLUB NAME]=test&language=en” into a command line, with servers returning a “ream of personal information.” After the issue was raised, Azdoufal says it was closed.
Nilsen pushed back on blame spreading outward while still acknowledging the way the PuffPal system was built. “I don’t want to put the blame on others because at the end of the day it resides with us. ” he said. He added that he believes 9Series. an outsourcing firm he claims was responsible for developing the PuffPal app and creating all the vulnerable APIs used to pull unprotected data from Nefos’ user database. contributed to the failures. 9Series did not respond by publish time.
With PuffPal offline, Nefos is emailing every club to explain what changes members will notice. Nilsen says the clubs’ members won’t be able to use QR codes for entry. But he also says clubs can still pull up IDs from Nefos’ servers after scanning a member’s RFID card or typing in their phone number. among other examples.
Nilsen says Nefos will not simply bring PuffPal back in an unsecured form if clubs ask. “We’re going to tell them we can’t,” he said. He added that after this “debacle,” it would require verification by an independent security researcher and a guarantee that it is “100 percent secure.”
He says Nefos is parting ways with 9Series and hopes to have a new app within a few months.
The legal risk has been part of the story from the start. Nilsen said he knows that under EU law, Nefos was legally required to disclose the breach within 72 hours or face significant fines—and that the company didn’t do it.
“I’m sure we’ll get whatever kind of penalty there is,” he said.
The warning signs weren’t new in Europe. Just last month, a website called the UK Visa Portal similarly exposed at least 100,000 passports to anyone who could guess a URL.
For Nefos and the clubs it supplies, the lesson is stark: when identity documents are placed on public-facing systems without meaningful protection, the fastest way to lose privacy isn’t a hack—it’s a URL.
Nefos Cannabis Club Systems CCS PuffPal passports exposed photo IDs data breach Ireland Data Protection Authority DPC cybersecurity exposed URLs Stripe key 9Series