Nearly 1 Million Passports and IDs Left Exposed: Vulnerability in Cannabis Club Management System

“Cannabis Club Systems” Left Nearly 1 Million IDs Unprotected

Security researcher Sammy Azdoufal has disclosed a critical vulnerability in “Cannabis Club Systems (CCS),” a management system for Spanish cannabis clubs. CCS is operated by the Irish company Nefos Solutions. The database of the membership management software provided by the company contained approximately 985,000 photo IDs stored without any password or access controls.

According to a report by The Verge, Azdoufal is a researcher known for discovering vulnerabilities in cloud-based robot vacuum cleaners and baby monitors. This time, while analyzing “PuffPal,” an access management app for cannabis clubs, he uncovered a major security flaw in the system.

Discovery Process and Technical Details

Azdoufal decompiled the PuffPal app and found that the secret key for the payment platform Stripe was embedded in plain text. Furthermore, by simply changing the unique ID number for member profile information, he could access other members’ full names, phone numbers, addresses, and photo IDs (scanned images of passports or driver’s licenses).

“By typing a few characters and numbers into a browser, I could see the ID of a complete stranger,” Azdoufal stated. This included a German woman’s passport, a Spanish man’s driver’s license (front and back), and even their facial photos, all viewable by anyone who knew the URL.

The database contained records of approximately 300,000 members who had visited cannabis clubs in Spain. The majority were Spanish nationals, but information on about 30,000 tourists or residents from the United States was also confirmed. It also included data on celebrities and public figures, posing a severe risk to the privacy of users who may not want their smoking habits made public.

Scope of Impact and Remaining Issues

The database was on a public URL and lacked even basic HTTP authentication. Azdoufal contacted the operating company, Nefos Solutions, immediately upon discovery, urging an urgent response.

“This information will be misused. If resellers find it, the damage will expand,” Azdoufal warned. Passports, in particular, contain personal details such as date of birth, nationality, passport number, and photo, which could be used for identity theft in any service requiring identity verification.

This incident highlights the critical importance of the “principle of least privilege” and “proper implementation of authentication and authorization” in business systems. The PuffPal app’s design lacked token-based authentication for API endpoints, allowing access to all user data simply by incrementing an ID number – a classic Insecure Direct Object Reference (IDOR) vulnerability.

Reference

• Nearly a million passports and photo IDs were left unprotected on the public internet — The Verge — Published June 10, 2026

Editorial Opinion

Short-term impact: The Spanish cannabis club industry will lose trust in credit card payments and identity verification processes. Clubs using CCS are likely to face investigations for GDPR (General Data Protection Regulation) violations as data processors, risking administrative sanctions and damage claims. Regulators may move to strengthen unannounced inspections of similar cloud-based business systems across the board.

Long-term perspective: This incident exposes a structural problem where “business SaaS and cloud-based management systems operate without any security audits post-release,” regardless of industry. Systems for small to mid-sized clubs, in particular, have limited development resources, leading to basic errors like embedded API keys and missing authentication. Going forward, a cross-industry self-regulatory framework, such as a “Business SaaS Security Certification System,” will be needed. Additionally, the fact that the Stripe payment integration secret key was embedded in plain text in the app will prompt a reconsideration of best practices across the entire payment industry.

A question from the editors: When developing your company’s APIs or cloud services, do you simply rely on “release-time functional tests” for authentication and authorization implementation? And can you confidently state that secrets for payment integrations or external APIs are not leaking into your CI/CD pipeline or source code management? The real alarm this case sounds is not the vulnerability itself, but the organizational governance failure: “How to detect data exposure invisible from the inside.”