Security researcher Sammy Azdoufal has uncovered a massive data breach exposing nearly a million identity documents online. By typing a few characters into his browser, he accessed passports and driver's licenses of strangers with no password protection.
How the Breach Occurred
Azdoufal discovered that Cannabis Club Systems (CCS), an Irish company providing software for cannabis clubs in Spain, stored photo IDs at public URLs. The URLs followed a simple pattern: https://ccsnubev2.com/v8/images/_{club}/ID/{user_id}-front.jpg. Clubs uploaded 5,000 new IDs daily with these insecure links.
Scope of Exposed Data
Over 985,000 photo IDs were accessible, including passports from Germany, Spain, and other countries. The database also contained phone numbers, addresses, cannabis preferences, and consumption history. About 30,000 US visitors were among the exposed individuals, along with celebrities who prefer privacy about their cannabis use.
Security Lapses Found
Azdoufal decompiled the PuffPal app used by clubs and found a plain-text Stripe payment key. He could access any member's profile by changing a number in the request. An admin portal was also publicly accessible, and club accounts used weak passwords crackable in minutes.
Company Response
After being contacted, CCS initially locked down images but later reopened them when clubs complained. The company has now shut down PuffPal and vulnerable APIs. Co-founder Andreas Nilsen stated they are cooperating with Ireland's Data Protection Commission and will notify affected users. CCS blames outsourcing firm 9Series for developing the insecure app.
Ongoing Risks
Even after image protection, user profiles remained accessible until June 9th. Nilsen claims no evidence of outsider access beyond Azdoufal, but the delay in securing data raises concerns. This incident follows a similar exposure of 100,000 passports on the UK Visa Portal.
