One million passports leaked online

The story highlights a catastrophic data security failure by Nefos, a company operating PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The company left nearly a million passports and photo IDs from multiple European countries exposed on public web servers, accessible through direct URLs with zero authentication or encryption. This exposure represents one of the largest identity document breaches in recent memory, with identity documents remaining publicly accessible for months before discovery. The documents were stored in a way that treated security as optional, with no authentication layer, rate limiting, or encryption, and no access logging or monitoring systems in place.

The broader context of this incident is deeply troubling, as it mirrors a pattern of data collection failures that defined previous privacy scandals, such as the Cambridge Analytica scandal. In both cases, companies collected sensitive personal data for legitimate-sounding use cases, but treated security and consent as afterthoughts. This trend suggests a broader failure in how companies approach sensitive data stewardship, with identity documents being collected and stored with less care than most people give to a public photo album. The fact that this exposure was not the result of a hacking attempt, but rather a fundamental failure in data security practices, is particularly concerning.

The implications of this incident are severe, with identity documents in the hands of criminals posing a permanent risk to the affected individuals. Unlike passwords, government-issued IDs cannot be instantly changed or revoked, and document replacement requires lengthy bureaucratic processes across multiple countries. The damage window, how long the documents were accessible and how many people or automated systems may have downloaded them, remains unknown. As regulatory bodies in the European countries affected weigh in on penalties for Nefos and the cannabis clubs, individuals will be left wondering if they have any recourse for identity restoration or monitoring.