On June 17, 2026, The Verge published an investigation that should change how every cannabis operator thinks about the government IDs they collect at the door. A security researcher, Sammy Azdoufal, found that nearly 985,000 identity documents belonging to members of cannabis clubs were sitting on the public internet — passports, national ID cards, driver’s licenses, selfies, and verification photos — accessible to anyone, with no password, no access control, and URLs simple enough to guess.
The exposure has been nicknamed Cannaleaks, and it is not a story about a sophisticated attacker. No one had to break anything. The data was simply left open. That distinction matters, because it means the failure was not bad luck — it was the predictable result of building an identity-verification pipeline without basic security hygiene. For an industry whose entire compliance model depends on scanning and storing IDs, that is the most important kind of breach to understand.
What was exposed
The records came from infrastructure operated by Nefos Solutions, an Irish company, and surfaced through PuffPal, an app that handles QR-code-based identity verification, and Cannabis Club Systems (CCS), software used by cannabis clubs for sales, accounting, and admissions. When a member joins one of these clubs, a receptionist typically uploads a photo ID and a selfie to verify age and identity. Those uploads went to the cloud — and the cloud was wide open.
According to the reporting, the exposed data included:
- Passports, national ID cards, and driver’s licenses with photos and document numbers
- Selfies and verification photos taken at sign-up
- Phone numbers, home addresses, and email addresses
- Strain preferences and consumption data — how often a member visits and what they buy
- A Stripe secret key stored in plain text inside the app
- Exposed administrative portals and potentially readable private messages
The system served more than 800 cannabis clubs worldwide. The heaviest concentration was in Spain — particularly Barcelona, where the cannabis social club model is widespread — with additional affected members in Italy, France, and South Africa.
Two technical details deserve emphasis because they tell you exactly how this happened. First, documents could be reached through public URLs that followed simple, predictable patterns, and member profiles could be opened by modifying an identifier in the address — the textbook definition of an Insecure Direct Object Reference (IDOR). Second, a live Stripe secret key was embedded in the application in plain text, which is the kind of mistake that can expose payment infrastructure on top of identity data. These are not exotic vulnerabilities. They are items one and four on any competent security checklist.
Why this is the worst kind of cannabis data to lose
Most data breaches leak passwords or email addresses — credentials you can rotate, accounts you can reset. Cannaleaks leaked immutable government identity documents tied to cannabis consumption. You cannot reset your passport. You cannot change the fact that your face, your home address, and your strain preferences are now linked together in a copy someone may have already downloaded.
The combination is uniquely damaging:
- Identity theft and synthetic fraud. A passport scan plus a selfie is the exact bundle needed to defeat many remote identity-verification systems — the same kind of “upload an ID and a selfie” check used to open financial accounts.
- Targeted extortion and discrimination. In many jurisdictions, and within many families, employers, and immigration contexts, a documented record of cannabis use is sensitive enough to coerce or harm someone. Linking it to a home address makes that risk physical.
- Permanence. Breached credentials age out. A leaked passport-plus-consumption profile does not. It remains useful to bad actors for years.
This is why we have repeatedly argued that ID and biometric data is not a routine compliance byproduct — it is the highest-liability data a dispensary touches. The same theme runs through our analysis of why dispensary ID scanners are triggering privacy lawsuits and our roundup of the biggest cannabis data breaches.
The GDPR problem
Because the bulk of affected members are in Spain, Italy, and France, this exposure sits squarely inside the EU’s General Data Protection Regulation (GDPR) — and the data involved is about as bad as GDPR categories get.
ID documents and biometric selfies used to identify a person are special category data under Article 9. Information revealing cannabis consumption arguably touches health data, which carries the same heightened protection. Under GDPR, controllers of this data are required to implement “appropriate technical and organisational measures” (Article 32) — encryption, access control, and the basic ability to keep records from being read by anyone with a browser. Leaving 985,000 such records publicly accessible is close to a worst-case Article 32 failure.
The mechanics matter for liability. A personal data breach must generally be reported to the relevant supervisory authority within 72 hours of awareness (Article 33), and affected individuals must be notified without undue delay when the risk to their rights is high (Article 34). GDPR penalties for the most serious violations reach up to €20 million or 4% of global annual turnover, whichever is higher. Nefos has acknowledged responsibility and noted its compliance obligations under European data protection law; it shut down PuffPal and the vulnerable APIs and stated it would not relaunch without an independent security review.
The hard question for the ecosystem is who is on the hook. The clubs collected the data and chose the vendor. The vendors built and operated the storage. Under GDPR, clubs are likely data controllers and the software providers processors — and controllers do not get to outsource their accountability. Choosing a processor that left everything open is itself a compliance failure. This is the cross-border, multi-party exposure problem we covered in our global regulatory and data-security briefing, playing out in real time.
What every operator should take from this — even if you’ve never heard of these companies
You do not have to be a Spanish cannabis club to be exposed to this exact failure. Any operator that scans IDs at the door, uploads them to a vendor’s cloud, or relies on a third-party age-verification app is running the same playbook. Here is what to do now.
1. Stop storing what you only need to check. The single biggest lesson of Cannaleaks is that the data that hurt people had no business being retained. Age and identity verification can be done at the point of sale and then discarded. If your POS or compliance system retains full ID images by default, find out, and turn it off unless a specific law requires retention. Verify; don’t hoard. We unpack this further in our companion piece on age-verification data discipline.
2. Audit every vendor that touches an ID. Ask each one, in writing: Where is this data stored? Is it encrypted at rest and in transit? Who can access it? Are object URLs authenticated and unguessable? When is it deleted? Has the system had an independent penetration test? If a vendor cannot answer these crisply, that is your answer. This is the vendor-risk discipline we describe in our seed-to-sale attack-surface analysis.
3. Hunt for IDOR and open buckets in your own stack. The two failures here — predictable, unauthenticated URLs and plain-text secrets — are testable in an afternoon. Confirm that member documents cannot be reached by changing a number in a URL, that storage buckets are private by default, and that no API keys or secrets live in client-side code or app bundles.
4. Encrypt and access-control identity data specifically. ID images and biometrics should be encrypted, access-logged, and restricted to the minimum number of staff and systems. Treat them like the regulated health-adjacent records they effectively are.
5. Have an incident-response plan before you need one. The 72-hour clock under GDPR — and the comparable notification windows under U.S. state laws now covering 21+ states — does not start when you finish investigating. It starts when you become aware. If you cannot detect and disclose quickly, you will miss the window. Build the runbook now; our cannabis incident-response template is a starting point.
6. Map your obligations across jurisdictions. If you serve members or customers across borders, you may owe duties under GDPR and multiple U.S. state privacy statutes simultaneously. See our 21-state privacy compliance checklist to scope what applies to you.
The bottom line
Cannaleaks is not an outlier — it is a preview. The cannabis industry’s compliance model depends on collecting the most sensitive documents a person owns, and far too much of the supporting infrastructure was built fast, by vendors competing on features rather than security. When the verification layer is left open, the very mechanism designed to keep minors out becomes the thing that exposes nearly a million adults.
The operators who treat this as a wake-up call will do three things this quarter: minimize the identity data they retain, interrogate the vendors who hold the rest, and prove to themselves that no document in their stack can be reached by guessing a URL. The ones who assume it cannot happen to them are running the same configuration that just exposed 985,000 people.
This article is provided for informational purposes only and does not constitute legal advice.



