cannabis data breach exposed 1,082,680 club member records after a researcher found an unsecured backend used by dozens of Spanish cannabis social clubs. Sammy Azdoufal accessed the data by joining one Barcelona club and decompiling its optional mobile app. He reports that the CCS Nube platform, built by Irish firm Nefos Solutions, returned full member profiles to any requester using predictable, sequential ID numbers.
Azdoufal counted 1,082,680 member records, 923,543 passport or national-ID numbers, and 985,841 ID photographs stored at unauthenticated, predictable URLs. Profiles included home addresses, phone numbers, dates of birth, monthly consumption figures and preferred cannabis strains. He also found private member-to-club messages that were readable across accounts. Clubs were uploading roughly 5,000 new ID photos per day before the exposure was noticed.
Sean Hollister of The Verge documented the incident and Nefos Solutions’ response. According to Hollister’s reporting, Nefos briefly relocked the ID images after clubs complained, then reopened them. Co-founder Andreas Nilsen told The Verge the company would shut down the PuffPal app, part ways with the outside developer, and expected a regulatory penalty.
Azdoufal reported the exposure to Nefos on April 22 and said he received no reply for 26 days. That delay exceeded the EU General Data Protection Regulation (GDPR) 72-hour breach-notification requirement. The researcher also found a hardcoded Stripe payment key and Firebase credentials in the app, which could allow broader access or misuse of payment and backend systems.
Technical details: CCS Nube assigned sequential member IDs and delivered entire profile objects in response to simple HTTP requests. ID photos and passport scans sat at URLs an attacker could construct without authentication. The predictable structure and lack of access controls turned routine browsing into a method for mass data extraction.
Security and privacy risks: Exposed passport numbers and ID photos make identity theft and fraud materially easier. Criminals can use passport data to apply for loans, clone SIM cards, or open accounts in victims’ names. For members who hold passports from countries where cannabis remains illegal, the exposed records could also trigger law-enforcement actions or visa problems.
The scale of this exposure is comparable to other recent misconfigurations. The Verge and other outlets previously reported an unofficial UK visa portal that left at least 100,000 passports and selfies publicly accessible in a misconfigured cloud bucket. Those incidents show that collecting government-issued ID for age verification creates a concentrated, high-value target for attackers.
Who is affected: Members enrolled through club front desks or web portals were in the same CCS Nube database whether or not they installed the PuffPal app. That means many exposed members never used the optional app that Azdoufal examined. The dataset spans multiple clubs and includes both membership and administrative data.
Company and regulatory implications: Nefos Solutions acknowledged problems with the PuffPal app and said it would cease operations related to that product. The company indicated it had separated from the outside developer responsible for the app. Nefos also expected to face a penalty, consistent with GDPR enforcement for inadequate data protection and delayed notification.
What operators should change: Systems that store government-issued IDs must require authentication, enforce least-privilege access, and log requests to detect bulk access. Predictable sequential identifiers should not grant full-profile access. Hardcoded API keys and credentials must be removed from distributed client code; payment and backend keys need rotation after any exposure. Clubs and software providers processing ID documents should implement access controls that restrict retrieval to authorized staff and record every download or view.
Advice for members: Anyone who submitted a passport or national ID should assume the file could be public. Affected members should monitor bank accounts and credit reports, enable two-factor authentication on important accounts, and consider reporting potential identity theft to local authorities. Members with passports from countries that criminalize cannabis should consider seeking legal advice about disclosure risks.
This incident highlights concrete failures: predictable ID patterns, unauthenticated file hosting, hardcoded credentials, and a missed regulatory notification window. It also shows how a single, optional app can reveal a much larger server-side exposure affecting over one million people.
