HN Debrief

One million passports leaked online

  • Security
  • Privacy
  • Regulation
  • Identity
  • Europe

The story says Nefos, which runs the PuffPal platform used by cannabis clubs across Europe for membership and age verification, exposed more than a million passport scans, driver’s licenses, names, and other identity records on public web servers with no authentication, no encryption, and no meaningful monitoring. The documents were not stolen through some sophisticated attack. They were simply sitting there behind guessable or directly reachable URLs. Because the records are tied to cannabis clubs, the leak does not just expose identity documents. It also links people to a regulated and still sensitive activity.

If your product or vendor touches passports, licenses, or similar identity documents, treat that as a board-level risk and push hard on data minimization, retention, and deletion. Age and identity checks that still rely on uploading document scans are a design smell, not just a security problem.

Discussion mood

Angry and unsurprised. Most people saw this as the predictable outcome of weak incentives, excessive data retention, and bad vendor outsourcing, not as an exceptional security failure.

Key insights

  1. 01

    GDPR guidance already says delete age proofs

    European privacy guidance is stricter than many teams seem to assume. The European Data Protection Board has said that for age assurance, once a user's age is verified, the personal data used for that check should not be kept. That reframes the incident. The scandal is not only the open server. It is that the system appears to have retained raw passport images that should likely have been deleted in the first place.

    Do not let compliance teams wave vague audit or KYC concerns into indefinite retention. For age checks in Europe, review whether you can store only the verification result and purge source documents immediately.

      Attribution:
    • charles_f #1 #2 #3
  2. 02

    You can audit verification without storing passports

    The strongest technical pushback to "we need the images for proof" was that retention is a design choice, not an inevitability. Several people pointed to ways to keep a signed verification result, hashes, document metadata, or other cryptographic evidence of the process without keeping the original passport scan. That matters because it separates the legitimate need to prove a check happened from the far riskier habit of warehousing reusable identity documents.

    Ask vendors exactly what evidence they keep after verification and why raw images are necessary. If the answer is vague, push for tokenized or signed attestations instead of document storage.

      Attribution:
    • somenameforme #1
    • hombre_fatal #1
    • subscribed #1
    • lschueller #1
  3. 03

    The customer shares liability with the vendor

    The sharpest business point was that outsourcing does not outsource accountability. The clubs decided to route passports into a third-party system, so they own the decision to create that attack surface. Calling the vendor inept is true but incomplete. The deeper failure is treating passports as routine SaaS input instead of toxic material that should be avoided or tightly constrained.

    Vendor reviews for any workflow touching identity documents need to be as serious as payment or payroll reviews. If a partner cannot explain minimization, key handling, access controls, and deletion, do not integrate them.

      Attribution:
    • rkagerer #1
    • BiteCode_dev #1
    • jwr #1
  4. 04

    Passport photos are bad digital credentials

    A recurring point was that a scanned passport is a poor stand-in for the physical document. A photo loses watermarks, holograms, chip checks, and in-person inspection, yet companies still accept it as identity proof because they lack a better universal online mechanism and mainly want something defensible enough for policy. That makes the whole model brittle before any breach happens.

    Treat any workflow based on uploaded ID images as a temporary workaround, not a mature identity layer. Prioritize attestation, eID, or in-person verification paths where the assurance level actually matches the risk.

      Attribution:
    • w3ll_w3ll_w3ll #1
    • notpushkin #1
    • mrweasel #1
    • Tangurena2 #1
  5. 05

    Physical copies are dangerous but digital aggregation is worse

    People who travel noted that passport copying by hotels is already common, often on personal phones or piles of paper. The useful distinction was not that paper is safe. It is that paper does not become a million-record searchable trove one bad URL away from mass extraction. Friction still counts as security when the alternative is a centralized digital archive of reusable IDs.

    When you digitize a messy manual process, do not assume you are only improving convenience. You may also be converting scattered local risk into a single catastrophic breach domain.

      Attribution:
    • shmoobadge #1
    • Avshalom #1
    • nkrisc #1
    • Scaled #1
  6. 06

    Breach reporting can punish the reporter

    One detailed anecdote about a travel CRM exposed a familiar pattern. A family member found passport records exposed by sequential IDs, got the issue fixed, and was then pressured out of a job after the affected school treated the disclosure as a threat. The point is not whether every detail can be verified. It is that many organizations respond to exposure by protecting themselves, not users or reporters, which helps explain why large silent breaches can persist.

    If your company wants vulnerabilities reported, build a real disclosure path and protections for good-faith reporters. Without that, you are selecting for silence until a journalist or attacker finds the data first.

      Attribution:
    • gomoboo #1
    • throwaway692675 #1
    • bonoboTP #1
    • petit_robert #1

Against the grain

  1. 01

    PII could be regulated like card data

    One practical counterpoint to the fatalism was that payment-card handling shows organizations will tighten up when standards and penalties are concrete. The suggestion was to hold any company collecting personal identity data to something closer to Payment Card Industry Data Security Standard discipline, backed by enforcement that actually bites. That does not solve over-collection, but it does reject the idea that bad security is inevitable.

    If you operate in a regulated sector, borrow controls from card-data programs even when the law does not force you yet. Regulators are more likely to copy proven compliance models than invent entirely new ones.

      Attribution:
    • Tangurena2 #1
    • runroader #1
  2. 02

    Retention may be driven by sector rules

    A few comments pushed back on the blanket claim that there is never any reason to keep records. In some jurisdictions, cannabis and other controlled sales can end up tied to prescription monitoring or track-and-trace systems, which means some retention pressure comes from sector-specific law rather than pure greed or laziness. That does not excuse public buckets. It does complicate the idea that immediate deletion is always legally available everywhere.

    Map the exact retention obligations for each market instead of assuming one privacy rule answers everything. Then design for the minimum required record, not the maximum convenient dataset.

      Attribution:
    • mothballed #1 #2
    • edoceo #1
  3. 03

    Not all leaked identity details are equally novel

    A small minority argued that some panic around leaked names and addresses ignores how much of that information used to be publicly distributed in phone books. The useful part of the objection is not that passport leaks are harmless. It is that the real risk comes from machine-readable aggregation and linkage with other records, not from every individual field in isolation.

    When assessing breach impact, focus on what the dataset enables at scale, especially linkage, automation, and impersonation. That gives a more honest risk picture than treating every exposed field as equally sensitive.

      Attribution:
    • paulddraper #1 #2

In plain english

eID
Electronic identity, usually a government-backed digital way to prove who you are online.
GDPR
General Data Protection Regulation, the European Union privacy law that sets rules for collecting, using, and keeping personal data.
KYC
Know Your Customer, a set of identity-checking rules businesses use to verify who a customer is, usually for legal or compliance reasons.
Payment Card Industry Data Security Standard
A widely used security standard for organizations that store, process, or transmit payment card data.
SaaS
Software as a Service, meaning software run by a vendor and accessed over the internet instead of installed and operated by the customer.

Reference links

Primary coverage and source discussion

Privacy law and enforcement

Identity verification and digital identity alternatives

Security standards and related systems