Security researcher Sammy Azdoufal discovered 985,000 photo IDs sitting unprotected at public URLs, accessible without passwords or access controls. The documents included German passports, Spanish driver's licenses, and personal information from cannabis club visitors worldwide, including 30,000 Americans and celebrities who wanted to keep their marijuana use private.

Azdoufal traced the vulnerability to Cannabis Club Systems (Nefos Solutions), which provides software to Spanish cannabis clubs. By decompiling the Puff Pal app, he found a secret Stripe key in plain text and discovered he could access any member profile by changing a single number. Passport images were stored at predictable URLs like https://ccsnubev2.com/v8/images/_{club}/ID/{user_id}-front.jpg, with 5,000 new IDs uploaded daily without security.

When confronted, Nefos cofounder Andreas Nilsen acknowledged the breach but initially blamed outsourcing firm 9Series for developing the vulnerable app. The company temporarily fixed some issues before reopening them when clubs complained about functionality, prioritizing customer convenience over security. Nilsen admitted Nefos missed the EU's 72-hour breach disclosure deadline and faces potential fines.

The incident reveals how third-party vendors can create massive security holes in regulated industries. Even after shutting down Puff Pal, user profiles remained accessible through simple API calls until journalists intervened. This follows similar exposures like the UK Visa Portal leak, highlighting systemic failures in protecting sensitive identity documents online.