A journalist typing a few letters and numbers into a web browser pulled up the passport of a young woman from Germany. Then a Spanish man’s passport. Then another man’s driver’s license. All of it sitting on the public internet with no password, no encryption, no access control whatsoever.
Nearly a million passports and photo IDs from multiple countries were exposed across unprotected public URLs, accessible to anyone with a link. The documents remained discoverable this way for months, according to reporting by The Verge, before being taken offline. The exposure represents one of the largest identity document breaches in recent memory—and it happened because of a fundamental failure in data security practices.
- The Scale: Nearly one million passports and photo IDs from multiple European countries were left completely unprotected on public web servers.
- The Access Method: No hacking was required—documents were accessible through direct URLs with zero authentication or encryption.
- The Timeline: Identity documents remained publicly accessible for months before discovery, creating an unknown window of potential criminal exploitation.
The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.
Sammy Azdoufal, a security researcher who discovered the exposure, told The Verge the urgency was acute: “We have to do something about it as fast as possible, because people will find this and resell it. It will do damage.” The concern was not theoretical. Identity documents at scale on the open internet are immediately valuable to criminals. According to guidance from the Federal Trade Commission, stolen passports and driver’s licenses fuel identity theft, document fraud, and account takeover attacks.
How Did Nearly a Million Identity Documents End Up Unprotected?
What makes this breach structurally significant is not just the volume of documents exposed, but the mechanism of exposure: a company collecting identity verification data—ostensibly for legitimate age-gating purposes—stored that data in a way that treated security as optional. No authentication layer. No rate limiting. No encryption. Just raw identity documents, URL-accessible to the entire internet.
• Zero password protection on document storage systems
• No encryption for sensitive identity verification data
• Public URL access with no authentication requirements
• No access logging or monitoring systems in place
This mirrors a pattern that defined the Cambridge Analytica scandal: the accumulation of personal data at scale, justified by a legitimate-sounding use case (age verification in this case, political research in CA’s), with security and consent treated as afterthoughts. Cambridge Analytica harvested psychological profiles of millions without explicit consent, storing and weaponizing behavioral data. Here, identity documents were collected for age verification but stored with such negligence that anyone could download them in bulk.
What Happens When Identity Documents Are Stolen at Scale?
The Verge’s investigation did not identify a specific attack or breach. No hacker broke in. No ransomware gang demanded payment. The documents were simply left there, accessible by design—or more accurately, by default. This is a category of exposure that security researchers call “misconfiguration,” but that term obscures the reality: a company handling millions of identity documents treated them with less care than most people give to a public photo album.
Research published in PMC’s cybersecurity analysis demonstrates that the healthcare sector continues to suffer some of the highest costs from data security breaches, with identity document exposure creating particularly severe long-term risks for affected individuals.
The timeline of discovery and remediation remains unclear from available reporting. The documents have since been taken offline, but the damage window—how long they were accessible, how many people or automated systems may have downloaded them—is unknown. No official statement from Nefos or the cannabis clubs using the platform has been cited in reporting.
Why Can’t You Just “Change” Your Passport Like a Password?
For individuals whose documents were exposed, the immediate risk is identity theft. Passport and driver’s license scans in criminal hands can be used to open accounts, apply for credit, or facilitate document fraud. There is no universal “change your passport” option like resetting a compromised password. The exposure is permanent unless and until those documents expire or are reissued.
• Unlike passwords, government-issued IDs cannot be instantly changed or revoked
• Document replacement requires lengthy bureaucratic processes across multiple countries
• Criminal use of stolen documents can continue for years before detection
The broader implication is sharper: any company collecting identity documents for verification purposes is now on notice that “we’ll just store them securely” is not a credible promise without demonstrated technical controls. The NIST Computer Security Incident Handling Guide establishes baseline security requirements that were completely absent in this case—no password protection, no encryption, no access logs.
What remains unanswered is whether regulatory bodies in the European countries affected will impose penalties on Nefos or the cannabis clubs for this exposure, and whether individuals will have any recourse for identity restoration or monitoring. The structural parallel to data collection failures that defined previous privacy scandals suggests this incident represents a broader failure in how companies approach sensitive data stewardship. As of mid-April 2026, those questions hang open.
