Typing a few letters and numbers into a web browser, security researcher Sammy Azdoufal found himself staring at the identity documents of complete strangers - a German woman’s passport, a Spanish man’s driver’s license, and the goofy expression of yet another victim. All were sitting at public URLs with no password or access control, as if the internet were a lost-and-found bin for sensitive data.

Azdoufal, who previously used Claude Code to discover that DJI Romo robot vacuums and a million baby monitors were embarrassingly easy to hack, this time found over 985,000 photo IDs exposed. If you’ve visited a cannabis club in Spain, your ID, phone number, address, favorite strains, and monthly consumption might be among them - including 30,000 visitors from the United States and, reportedly, some celebrities who “don’t want everyone to know they smoke weed.”

The culprit isn’t the clubs themselves, but an Irish company called Cannabis Club Systems (CCS), formally Nefos Solutions, which provides software for sales, accounting, and admissions. Their verification system lets receptionists upload IDs and selfies to Nefos’ cloud. But when Azdoufal decompiled the optional PuffPal app, he found a Stripe secret key in plain text, the ability to pull up any member’s profile by changing a number, and passport images stored at URLs as simple as https://ccsnubev2.com/v8/images/_{club}/ID/{user_id}-front.jpg. Clubs were uploading 5,000 new IDs daily.

Azdoufal also found an admin portal accessible via the public internet, with passwords crackable in minutes using a modern GPU. Private chat messages between clubs and members were also vulnerable. The good news? After a month and a prod from The Verge, Nefos is finally taking action - shutting down PuffPal and vulnerable APIs, informing Irish authorities, and planning to notify affected users. Co-founder Andreas Nilsen says he’s in touch with Ireland’s Data Protection Authority (DPC), which confirmed the contact.

But it took five days and the threat of a story for Nefos to reply to Azdoufal. Initially, the company papered over the holes - then, on June 4th, Azdoufal’s own passport reappeared online after clubs complained about locked-down images. Nilsen claims the images were secure “70 percent of the time,” but it’s clear Nefos prioritized customer convenience over security. On June 9th, Azdoufal found that even after locking passport images with tokens, everything else - passport numbers, phone numbers, addresses - was still accessible via a simple curl command. That hole has since been closed.

Nilsen blames outsourcing firm 9Series for developing the vulnerable PuffPal app, though he admits responsibility. Nefos is parting ways with 9Series and hopes to launch a new, independently verified app within months. Under EU law, Nefos should have disclosed the breach within 72 hours - something it didn’t do. “I’m sure we’ll get whatever kind of penalty there is,” Nilsen says.

Just last month, the UK Visa Portal exposed at least 100,000 passports. Let’s hope this is the wakeup call that finally gets companies to stop treating personal data like party favors.