Irish software company leaks 985,000 photo IDs from Spanish cannabis clubs

Nearly 985,000 passport images and photo IDs belonging to members of cannabis clubs across Spain were left fully exposed on the public internet, accessible to anyone who knew where to look — with no password, token or access control of any kind.

The Verge reported the breach after security researcher Sammy Azdoufal — who previously used Claude Code to uncover critical vulnerabilities in DJI Romo robot vacuum cleaners, a million baby monitors and security cameras — discovered the flaw and raised the alarm.

How the data was left exposed

The vulnerability did not originate with the cannabis clubs themselves. An Irish company called Cannabis Club Systems (CCS), formally known as Nefos Solutions, develops and supplies the software these clubs use for sales, accounting and member admissions.

Part of that system involves receptionists uploading members' identity documents and selfies to Nefos' cloud servers for storage and verification. Nefos also offered an optional app called PuffPal, which allowed clubs to scan a QR code for faster member entry.

When Azdoufal decompiled the PuffPal app, he found a striking absence of meaningful security. A secret key for the Stripe payments platform was embedded in the app in plain text. Member profiles — including phone numbers, home addresses, passport images and cannabis consumption preferences — could be accessed simply by changing a single number in a URL. The passport images and identity documents themselves were stored at openly accessible URLs following a predictable format.

The scale of the exposure

Azdoufal estimates that clubs were uploading 5,000 new photo IDs with these insecure URLs every day. The exposed data included records belonging to celebrities, international visitors and approximately 30,000 people from the United States. "They have famous people," Azdoufal said. "People who don't want everyone to know they smoke weed."

Beyond identity documents, the breach exposed passport numbers, phone numbers, email addresses and home addresses. An admin portal was also accessible via the public internet, and cannabis club accounts were protected by passwords that could theoretically be cracked within minutes using a modern GPU. Private chat messages between clubs and members through PuffPal were vulnerable as well.

Azdoufal warned early on about the urgency of the situation. "We have to do something about it as fast as possible, because people will find this and resell it. It will do damage," he said in May.

A slow and troubled response

Despite being contacted promptly, Nefos took five days to respond — and only did so after being told a news story was being prepared. Rather than immediately closing the vulnerabilities, the company initially patched over the holes to avoid disrupting its business operations.

On 4 June, Azdoufal discovered that passport images he believed had been secured were publicly accessible again. Nefos had unlocked them after clubs complained that images were no longer displaying correctly within the PuffPal app. Nefos Co-Founder Andreas Nilsen later claimed the images had been locked down "70 percent of the time" since contact was made, but the decision to restore access made clear that customer continuity had been prioritised over data security.

On 9 June, Azdoufal discovered that even after Nefos had secured the passport images with access tokens, all other personal data in user profiles remained freely accessible. A simple command-line query directed at https://ccsnubev2.com/v8/api/userProfile.php with a user ID would return a full set of personal details. That vulnerability was closed after The Verge brought it to Nefos' attention.

Company response and accountability

Following The Verge's reporting, Nefos shut down the PuffPal system and all vulnerable APIs entirely. In Azdoufal's tests conducted on 10 June, passport images and personal data appeared to be secured. Nefos has also notified local authorities and confirmed it will take responsibility for fixes, fines and user communications.

In a phone interview, Nilsen told The Verge he is in contact with Ireland's Data Protection Authority (DPC) — a fact confirmed by DPC Spokesperson Evan O'Leary by email. "We have to communicate to everyone that was potentially exposed," Nilsen said, adding that he hoped the DPC would guide the company through that process properly. Nilsen said there is currently no evidence that anyone other than Azdoufal accessed the data.

When pressed on how the vulnerabilities arose, Nilsen pointed to 9Series, an outsourcing firm he said was responsible for developing the PuffPal app and its vulnerable APIs. "I don't want to put the blame on others because at the end of the day it resides with us," Nilsen said. 9Series had not responded by the time of publication. Nefos has confirmed it is parting ways with 9Series and hopes to have a new, independently verified app ready within a few months.

EU breach rules not followed

Nilsen acknowledged that under EU law, Nefos was legally required to disclose the breach within 72 hours — an obligation the company failed to meet. "I'm sure we'll get whatever kind of penalty there is," he said.

Nefos has begun emailing clubs to inform them that members will no longer be able to use QR codes for entry while PuffPal remains offline, though clubs can still verify members through RFID card scans or phone number look-ups. Nilsen said the company will not restore PuffPal without independent security verification.

"We're going to tell them we can't," he said. "We will make sure, after this debacle, that this is verified by an independent security researcher and guarantee that this is 100 percent secure."

The incident follows a similar breach just last month, in which a website called the UK Visa Portal exposed at least 100,000 passports to anyone capable of guessing a URL.