Nefos PuffPal Data Exposure: One Million Passports Leaked via Public URLs

Nearly one million passports and photo IDs from multiple European countries were exposed on the public internet due to a fundamental failure in data security practices. The documents were accessible via direct URLs with no password protection, encryption, or access controls, allowing anyone with a link to view sensitive identity documents without any hacking required.

Critical Security Failures in the PuffPal Infrastructure

The exposure occurred within systems used by cannabis clubs and Nefos, the company operating PuffPal—a platform designed for membership and age verification for cannabis retailers and clubs across Europe. The infrastructure stored full passport scans, driver's licenses, photos, names, and identifying numbers on publicly accessible web servers.

Technical analysis of the breach reveals a complete absence of baseline security controls:

• Zero Authentication: There was no password protection or authentication layer required to access the document storage systems.
• Lack of Encryption: Sensitive identity verification data was stored without encryption.
• No Rate Limiting: The absence of rate limiting allowed for the potential bulk downloading of documents.
• No Monitoring: There were no access logging or monitoring systems in place to detect unauthorized access.

Long-Term Risks of Identity Document Exposure

Unlike compromised passwords, government-issued identity documents cannot be instantly reset or revoked. This creates a permanent vulnerability for the affected individuals until the documents expire or are reissued through lengthy bureaucratic processes.

Stolen passports and driver's licenses are high-value assets for criminals, fueling:

• Identity Theft and Fraud: Using scans to open fraudulent accounts or apply for credit.
• Document Fraud: Creating forged documents based on leaked high-resolution scans.
• Account Takeover Attacks: Using the IDs to bypass identity verification checks on other platforms.

Furthermore, the nature of the data collected—verification for cannabis clubs—adds a layer of sensitive personal information to the identity documents, potentially exposing users' associations with these clubs.

Analysis of Data Stewardship and Regulatory Compliance

This incident highlights a systemic failure in data stewardship, where high-value credentials (passports) were used for low-value authentication (age verification for cannabis clubs).

GDPR and Storage Limitation

Industry observers and security experts have noted that the retention of this data may violate the General Data Protection Regulation (GDPR). A core tenet of GDPR is "storage limitation," which mandates that personal data must not be kept longer than necessary for the purpose for which it was collected. In this case, once a user's age was verified, there was no legitimate reason to retain the full scan of the identity document.

The "Misconfiguration" Fallacy

While such incidents are often labeled as "misconfigurations," the scale of the failure—missing passwords, encryption, and logs—suggests a total disregard for security standards. The NIST Computer Security Incident Handling Guide establishes baseline requirements that were entirely absent in this case.

Community Perspectives on Identity Verification

Discussion among security professionals and users regarding this breach emphasizes the inherent risk of centralized identity verification:

"Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk."

Others pointed out the ubiquity of the risk, noting that passports are frequently scanned by hotels and other service providers who may lack professional storage hygiene, making this specific leak part of a broader pattern of systemic identity vulnerability.