985K Passports Leaked Online: Nefos Privacy Lessons [2026]
Security researcher Sammy Azdoufal discovered roughly 985,000 passports and photo IDs sitting on the public internet via Cannabis Club Systems (Nefos). This breakdown covers how predictable URLs, IDOR vulnerabilities, and failed incident response turned a verification platform into an open identity database — and what individuals and publishers can do to protect identity documents before the next breach.

In June 2026, security researcher Sammy Azdoufal made a discovery that should unsettle anyone who has ever handed over a passport, driver's license, or national ID to verify their identity online. Roughly 985,000 photo IDs — passports, licenses, and selfies — were sitting on the public internet with no password, no access token, and no meaningful security at all. If you knew the URL pattern, you could view a stranger's passport in your browser within seconds.
The breach did not come from a nation-state hack or a sophisticated ransomware gang. It came from Cannabis Club Systems (CCS), an Irish software company formally known as Nefos Solutions, whose verification platform is used by cannabis clubs across Spain and beyond. Clubs uploaded member IDs for entry verification. Nefos stored them at predictable public URLs. And for months — possibly years — anyone with basic technical knowledge could browse them like a photo gallery.
This is not a niche story about cannabis tourism. It is a wakeup call for identity privacy that echoes the UK Visa Portal breach that exposed over 100,000 passports just weeks earlier. The same structural failures keep repeating: companies treat identity documents as files to upload, not as high-value biometric data that demands fortress-level protection.
| Question | Answer |
|---|---|
| How many passports were exposed? | ~985,000 photo IDs via Nefos/Cannabis Club Systems |
| How were they accessed? | Predictable public URLs + IDOR on user profile APIs |
| Who is investigating? | Ireland's Data Protection Commission (DPC) |
| Did Nefos notify users within 72 hours? | No — Nefos acknowledged missing the GDPR deadline |
| Can you protect verification videos yourself? | Yes — blur backgrounds and redact before submitting |
What Happened: How Nearly a Million Passports Ended Up Online
The Scale of the Exposure
According to reporting by The Verge, Azdoufal's automated scanning tool identified over 985,000 photo IDs accessible without authentication. The affected users were primarily visitors to cannabis clubs in Spain — Barcelona clubs were heavily represented — but the database included people from across the world:
- Germany, Italy, France, South Africa, and Britain topped the nationality breakdown
- Roughly 30,000 affected users were from the United States
- Celebrities and public figures were reportedly among the exposed records
Each profile could contain far more than a passport scan: phone numbers, home addresses, consumption preferences, monthly purchase history, and private chat messages between clubs and members through the PuffPal companion app.
The Technical Failures That Made It Possible
The breach was not the result of one mistake. It was a stack of compounding security failures that turned a membership verification system into an open database.
Predictable public URLs for identity documents. Passport and ID images were stored at URLs following a simple, guessable pattern:
https://ccsnubev2.com/v8/images/_{club}/ID/{user_id}-front.jpg
Change the club name. Increment the user ID. You get another person's passport. No login required. Clubs were uploading approximately 5,000 new photo IDs every day using this same insecure structure.
Insecure direct object references (IDOR). Azdoufal found that changing a single number in an API request could pull up any member's full profile — phone number, address, passport details, and preferences included. This is one of the most basic web application vulnerabilities, and it was present at scale.
Secrets embedded in the mobile app. Decompiling the PuffPal app revealed a Stripe payment secret key stored in plain text — a credential that should never exist in client-side code. If payment infrastructure keys are treated casually, identity document storage is unlikely to receive better treatment.
An admin portal on the public internet. The company's administrative interface was reachable without network-level restrictions, and club accounts used passwords that could be cracked in minutes with a modern GPU.
API endpoints that leaked everything except the image. Even after Nefos added token protection to passport images in response to the initial disclosure, Azdoufal discovered that a simple POST request to the user profile API still returned passport numbers, email addresses, phone numbers, and home addresses — all the structured data needed for identity theft, with the image itself locked down.
"We have to do something about it as fast as possible, because people will find this and resell it. It will do damage." — Sammy Azdoufal, security researcher, quoted in The Verge
The Response: Too Slow, Then Reversed
Nefos cofounder Andreas Nilsen told The Verge the company is in contact with Ireland's Data Protection Commission (DPC) and plans to notify affected users. But the timeline raises serious questions about priorities:
- Azdoufal reported the vulnerability privately before media involvement
- It took five days and the threat of publication before Nefos responded to journalists
- Nefos initially locked down passport images, then unlocked them again when cannabis clubs complained that verification workflows broke
- Nilsen acknowledged the company may face penalties for failing to disclose the breach within the 72-hour window required under EU law
- As of June 10, 2026, Nefos shut down the PuffPal system entirely pending a security overhaul and parted ways with 9Series, the outsourcing firm that built the vulnerable APIs
The pattern is familiar: protect business continuity first, protect user data second. That calculus is exactly why privacy-first tooling matters — both for the companies storing data and for the individuals whose documents are at stake.
Why Identity Document Breaches Are Different From Other Data Leaks
Not all breaches carry the same long-term damage. A leaked email address is annoying. A leaked passport scan is a permanent identity asset that cannot be rotated like a password.
Passports Are Non-Renewable in Practice
When your email is compromised, you change it. When your password leaks, you reset it. When your passport image leaks, you cannot simply "change" your passport number in most jurisdictions without a formal reissuance process — and even then, your biometric face, date of birth, and nationality remain constant. Identity thieves can use leaked passport scans for:
- Synthetic identity fraud — combining your document with fabricated details to open accounts
- Account takeover — bypassing KYC verification on financial platforms
- Travel and visa fraud — submitting your document in contexts you never authorized
- Targeted harassment and blackmail — especially damaging for public figures and individuals in sensitive professions
Biometric Data Falls Under Strictest Privacy Rules
Under GDPR Article 9, facial images and biometric identifiers constitute special category personal data. Processing them requires explicit consent and heightened security measures. Storing nearly a million passport scans at public URLs is not a gray area — it is a fundamental violation of the data protection framework that governs Nefos as an Irish company operating in the EU.
The breach also intersects with Spain's implementation of GDPR and local data protection authority oversight. With clubs uploading 5,000 IDs daily, the volume of ongoing unlawful processing was enormous even before considering the retrospective exposure.
The Ripple Effect Beyond the Direct Victims
Even if you never visited a Spanish cannabis club, this breach matters because it demonstrates how third-party verification vendors handle the documents you submit elsewhere:
- Rental platforms requiring ID uploads
- Age verification for regulated products
- Employer onboarding and background checks
- Travel booking and hospitality check-in systems
- Government-adjacent e-verify workflows
Every time you photograph your passport and upload it to a third party, you are trusting their engineering team, their outsourcing partners, and their incident response culture. The Nefos case suggests that trust is often misplaced. For a broader view of how global privacy laws treat biometric data in video, see our guide to DPDP, POPIA, and international video redaction requirements.

The Anatomy of a Preventable Breach: Lessons for Companies
If you run a platform that collects identity documents — or you evaluate vendors who do — the Nefos failure offers a checklist of what must never happen.
Never Store Identity Documents at Public URLs
Object storage (S3, GCS, Azure Blob) must use private buckets with signed, time-limited URLs for any authenticated retrieval. Predictable paths like /images/{club}/ID/{user_id}-front.jpg enable enumeration attacks where an attacker iterates through user IDs programmatically. This is Security 101, and it was absent here.
Eliminate Insecure Direct Object References
Every API endpoint that returns user data must verify that the requesting party is authorized to access that specific record. Changing user_id=1001 to user_id=1002 should never work without re-authentication and authorization checks.
Treat Identity Verification as a Privacy Engineering Problem
Identity verification is not a file upload feature. It is a privacy-critical workflow that requires:
- Encryption at rest and in transit for all document images
- Automatic deletion schedules for documents no longer needed
- Audit logging of every access to stored identity data
- Penetration testing before launch, not after journalists call
- Independent security review before handling special category data at scale
Outsource Development, Not Accountability
Nefos pointed to 9Series, the outsourcing firm that built PuffPal and its APIs. Outsourcing development is legitimate; outsourcing security responsibility is not. Under GDPR, the data controller — Nefos — bears legal liability regardless of which contractor wrote the vulnerable code. The DPC investigation will focus on Nefos's governance, not the subcontractor's excuses.
Incident Response Must Prioritize Data Subjects
Unlocking passport images because clubs complained about broken workflows is the defining moment of this story. It reveals that user privacy was treated as a configurable inconvenience rather than a legal obligation. EU breach notification rules exist precisely because companies under commercial pressure will otherwise minimize disclosure.
For a deeper look at why weak anonymization fails regulatory scrutiny — including GDPR Recital 26's irreversibility standard — read our analysis on forensic de-pixelation and GDPR compliance in 2026.
What You Can Do If Your Identity Documents May Be Exposed
Whether you were directly affected by the Nefos breach or you simply want to reduce your exposure after reading about it, these steps apply broadly.
1. Assume Your Uploaded IDs Have a Long Tail
Any passport or license you have uploaded to a third-party platform should be treated as potentially persisted indefinitely, even if the company claims deletion. Request explicit confirmation of deletion under GDPR Article 17 (right to erasure) if you have EU residency rights, or equivalent provisions under your local privacy law.
2. Monitor for Identity Fraud
- Enable fraud alerts with credit bureaus in your country
- Watch for unexpected account verification requests or password resets
- Review financial statements for unfamiliar account openings
- Consider identity monitoring services if you know your documents were in a breached database
3. Be Selective About What You Upload — and What You Show
Before uploading an identity document, ask:
- Does this service need the full document, or would a partial verification suffice?
- What is their data retention policy?
- Are they an EU/UK-regulated entity with a named data protection officer?
- Have they published a security incident history?
When recording verification videos — for passport renewals, visa applications, or employer KYC — you control more of the exposure than you might think. Our guide on blurring video backgrounds for secure passport verification covers how to submit verification footage without revealing your home, family photos, or other sensitive surroundings.
4. Redact Before You Share Video Content Publicly
The Nefos breach involved stored documents, but a parallel risk exists every day: creators, journalists, and bystanders publishing video that captures someone's passport, license plate, or face without consent. If you publish video content — on social media, news platforms, or internal communications — proactive redaction is your responsibility, not your platform's.
Tools like BGBlur exist precisely for this workflow: AI-powered face detection and motion-tracked blur that runs in the browser, with videos deleted within 24 hours and no permanent storage of your source footage. It will not fix a vendor who stores your passport at a public URL, but it does give you control over what identity information appears in content you create and publish.
For unauthorized filming scenarios and your rights to protect visible identity data, see our unauthorized filming privacy protection guide.

How Content Creators and Publishers Can Lead on Identity Privacy
The Nefos breach is a backend storage failure. But the broader privacy conversation includes frontend publishing decisions — what we choose to show in the videos and images we put on the internet.
The Verification Video Problem
Millions of people now complete identity verification by recording themselves holding a passport to a webcam. That video often captures:
- The full passport data page (number, MRZ code, photo, nationality)
- The applicant's home environment (address clues, personal belongings)
- Other people who walk through the background
If that video is stored insecurely — or if the applicant reuses an unredacted recording elsewhere — the verification process itself becomes the vulnerability. Before submitting or republishing verification footage, consider:
- Blurring everything except the document data page area required for verification
- Removing or blurring background details that reveal location or household information
- Never posting raw verification videos to social media
News and Documentary Footage
Journalists covering identity-related stories face a dual obligation: report accurately and protect subjects whose documents appear on camera. A passport shown on a kitchen table for ten seconds in B-roll footage is enough for a motivated viewer to pause, screenshot, and extract.
Motion-tracked AI blur — the kind that follows a document as hands move — eliminates the frame-by-frame editing burden that previously made redaction impractical for small newsrooms. Our AI video blur privacy guide walks through the workflow for hiding faces, plates, and sensitive objects in published footage.
Bystander and Crowd Footage
Street interviews, event coverage, and travel vlogs routinely capture strangers' faces and occasionally their documents — a passport pulled out at airport security, a license shown at a bar. The ethical and legal expectation is shifting: identifiable biometric data in published video requires justification and, increasingly, redaction. Privacy-first editing is becoming as standard as color correction.
The Regulatory Fallout: GDPR, the DPC, and What Comes Next
Nefos operates from Ireland, placing it under the jurisdiction of the Data Protection Commission — one of Europe's most active privacy regulators. Nilsen acknowledged the company failed to meet the 72-hour breach notification requirement under GDPR Articles 33 and 34, which mandate notification to supervisory authorities and, when risk to individuals is high, direct communication to affected data subjects.
Potential consequences include:
| Violation | GDPR Reference | Potential Impact |
|---|---|---|
| Unlawful processing of special category data | Article 9 | Fines up to €20M or 4% global turnover |
| Failure to notify breach within 72 hours | Article 33 | Administrative fines and corrective orders |
| Failure to notify affected individuals | Article 34 | Mandatory direct communication + fines |
| Insufficient technical measures | Article 32 | Corrective orders, ongoing DPC supervision |
The DPC has confirmed it is in contact with Nefos. Given the scale — nearly a million biometric records — this investigation is likely to produce a precedent-setting enforcement outcome that other identity verification vendors will watch closely.
For organizations publishing video that contains personal data, the compliance bar is clearer than ever. Our GDPR video content compliance guide covers face and license plate blurring requirements for creators operating in or targeting EU markets.
Building a Privacy-First Culture — Not Just Privacy-First Marketing
The most damning detail in The Verge's reporting is not the initial vulnerability. It is the decision to re-expose passport images because business customers complained. That single choice reveals more about a company's privacy culture than any privacy policy page ever could.
Real privacy commitment shows up in:
- Engineering defaults — private storage, encrypted fields, no public URLs
- Incident response — lock down first, notify regulators within 72 hours, communicate to users
- Vendor accountability — security review before launch, not forensic analysis after journalists arrive
- Individual empowerment — giving people tools to control what identity data appears in content they create
BGBlur sits in that last category. We built a browser-based AI editor because privacy should not require uploading sensitive footage to yet another cloud server with an unknown retention policy. Process locally where possible. Delete within 24 hours. Give creators, journalists, educators, and verification applicants the ability to redact faces, plates, backgrounds, and sensitive objects in seconds — not hours of manual frame editing.
The Nefos breach will fade from headlines. The passport scans, once exposed, do not fade as easily. Use this moment to audit who holds your identity documents, demand deletion where you can, and take control of what your own video content reveals to the world. For a practical walkthrough on redacting sensitive content before publication, see our guide to censoring video online for privacy.