Tue 07 Jul 2026 / 20:50 ET
Kernel
Long Reads 3 min read

PuffPal exposed cannabis club visitors’ IDs on public web links

Security researcher Sammy Azdoufal says more than 985,000 passports and photo IDs tied to Spanish cannabis clubs were left without access controls.

June Castellano

By June Castellano / Platforms & Power Reporter

PuffPal exposed cannabis club visitors’ IDs on public web links
img: The Verge

PuffPal, an app for accessing cannabis clubs, exposed a cache of identity documents on the open web, according to reporting by The Verge and security researcher Sammy Azdoufal. The material included more than 985,000 passports and other photo IDs, Azdoufal told The Verge.

The problem was depressingly basic: the documents were reachable at public URLs without a password or any other access control, The Verge reported. In its account, entering a short string of letters and numbers into a browser was enough to display strangers’ identity documents, including passports and the front and back of a driver’s license.

That is not a sophisticated exploit. It is the security equivalent of leaving the filing cabinet on the sidewalk and hoping nobody opens the drawers.

What was exposed

Azdoufal told The Verge the exposed records appeared to be tied to cannabis clubs in Spain. He said the data set included visitors from around the world, including 30,000 people from the United States.

According to Azdoufal, the exposed information may have gone beyond identity scans. He told The Verge that some affected people may have had phone numbers, addresses, preferred cannabis strains, and monthly consumption data in the database. He also said celebrities appeared in the records.

The Verge said it was able to view identity documents directly through public links. That matters because passport and driver’s license scans are not throwaway account data. They are durable identity documents, and people cannot rotate a passport number the way they can change a password.

How the exposure worked

The reported failure was access control, or rather the lack of it. A service can store images behind URLs while still requiring a logged-in session, a signed temporary link, or some other authorization check before handing over the file. The Verge reported that these documents had no such gate.

In that setup, possession of the URL is enough. If a link leaks, is guessed, or is enumerated by someone probing the pattern, the server serves the file. No malware, no phishing kit, no cinematic hoodie required.

Azdoufal told The Verge in May that the data needed to be secured quickly because people could find it and resell it. The concern is straightforward: passports and photo IDs are valuable to criminals precisely because they are official, image-based proof of identity.

Who found it

Azdoufal is the same researcher The Verge previously credited with finding security issues involving DJI Romo robot vacuums and Meari-made baby monitors and security cameras. In this case, he told The Verge he used Claude Code as part of his work discovering the exposed ID cache.

The available reporting does not include a public explanation from PuffPal about how the files became reachable, how long they were exposed, or whether every affected person has been notified. Those are the boring questions companies tend to avoid until regulators, customers, or reporters make them less optional.

This story draws on original reporting from The Verge.

More Long Reads/

view all ↗