The story says Nefos, which runs the PuffPal platform used by cannabis clubs across Europe for membership and age verification, exposed more than a million passport scans, driver’s licenses, names, and other identity records on public web servers with no authentication, no encryption, and no meaningful monitoring. The documents were not stolen through some sophisticated attack. They were simply sitting there behind guessable or directly reachable URLs. Because the records are tied to cannabis clubs, the leak does not just expose identity documents. It also links people to a regulated and still sensitive activity.
People zeroed in on two failures. First, nobody bought the idea that blame stops with the vendor. Clubs chose to collect high-risk documents through a third party and inherited the risk. That fed a broader attack on the
SaaS habit of outsourcing core trust functions like booking,
KYC, and age checks to flimsy vendors while forcing customers into one more privacy relationship they never agreed to. Second, the bigger problem is collection and retention itself. Several commenters pointed out that under
GDPR data minimization and storage limitation, keeping raw passport images after age verification is hard to justify. Others added that age assurance guidance from the European Data Protection Board explicitly says the source personal data should be deleted once age is verified. The consensus was blunt: this breach looks less like an unavoidable accident and more like an industry-standard anti-pattern where low-value services demand high-value credentials, keep them too long, and secure them badly.
From there the conversation widened into a critique of online identity systems in general. Photos of passports are treated as if they were robust digital credentials even though a scan strips away many of the security properties of the physical document. That leaves businesses using “good enough” checks mainly to satisfy compliance theater, while concentrating dangerous identity data in systems that are cheap to build and easy to leak. Several people contrasted this with in-person checks, attestation, cryptographic proofs, or national
eID schemes that can confirm age or identity without warehousing document images. The practical conclusion was clear: if a process only needs “over 18” or “verified once,” storing passport scans is negligence dressed up as regulation.