Nearly 985,000 cannabis club identity documents were reportedly exposed through public URLs linked to Cannabis Club Systems and PuffPal, raising serious questions about how the industry protects sensitive user data. The incident underscores why privacy is especially critical in cannabis, where leaked information can affect not only finances, but also employment, immigration, reputation, and legal exposure.
How often does a local cannabis club member smoke? What about a tourist? Which strains do they choose? This kind of personal information can be found in the databases of cannabis clubs in Spain and around the world. Fortunately, all this data is stored securely in software systems designed to keep it safe. Or at least, that’s how it should be…
This week, that security chain broke when one of the systems most widely used by cannabis clubs, Cannabis Club Systems, left more than 985,000 identity documents exposed and easily accessible through public URLs without basic controls. While this was supposedly a technical failure, it also raises some more uncomfortable questions, such as how prepared the cannabis industry is to protect one of the most sensitive forms of information it receives from users: their identity.
What Happened?
When you walk into a cannabis club—whether you’re there to become a member or simply as a visitor—it’s very common for staff to collect your personal information for security purposes. This includes a photo of your ID, your age, your nationality, your name, and a photo of your face, among other things. But after that, who stores all this personal information? Where are these documents stored? Who can see them?
A security researcher named Sammy Azdoufal put one of the companies most widely used by cannabis clubs on the defensive after revealing that this information was apparently not as well protected as it should have been.
The platform in question was Cannabis Club Systems (CCS), affiliated with the Irish company Nefos Solutions. CCS developed software for cannabis clubs, including tools for sales, accounting, member enrollment, and identity verification. The same infrastructure was also connected to PuffPal, an app used for QR code-based access and verification processes, where users could upload documents and selfies to verify their identity.
According to the investigation published by The Verge, the problem lay in how that information was stored and exposed. PuffPal was part of the infrastructure where vulnerabilities were detected, but the provider behind the system was Cannabis Club Systems/Nefos Solutions. The files, including images of documents, could be found at public web addresses, with predictable structures and no passwords or access controls.
Azdoufal identified the issue after having already exposed other serious data-protection vulnerabilities. His previous findings ranged from floor-cleaning mini-robots that capture and transmit sensitive personal data to the cameras parents trust in their baby’s room. And now, he’s done it again.
The researcher analyzed PuffPal, the app linked to Cannabis Club Systems, and found that 985,000 photos of cannabis club members’ identification documents were stored at public web addresses, with a predictable structure and no password or real access controls. What kinds of documents? Plenty. Images of passports, national ID cards, driver’s licenses, selfies, and verification photos, as well as phone numbers, addresses, email addresses, strain preferences, and data related to the frequency of visits or consumption at clubs.
All of it sitting out in the open, accessible through public web addresses that contained information about celebrities, tens of thousands of U.S. citizens, and many others who are likely not thrilled that their personal information was so easily accessible.
In a chart shared by The Verge, we can see the system’s scale: more than one million registered profiles, hundreds of thousands of documents or passports, phone numbers, email addresses, Firebase users, and messages. It also shows that a significant portion of the information comes from cannabis clubs in Spain, more specifically in Barcelona, Catalonia, though Italy, France, and South Africa also appear in the data, with figures that suggest there were plenty of cannabis users there too.
Most are members of these clubs, but there is also information on inactive members, visitors, staff, and professional contacts. Let’s not forget: this company works with more than 800 cannabis clubs around the world.
How the Data Was Exposed
According to The Verge, the problem lay in how Nefos stored and exposed that information. Azdoufal discovered that the documents could be accessed via public URLs with simple patterns. He also found other issues: a Stripe secret key within the app, profiles accessible by modifying identifiers, an exposed administrative portal, and potentially vulnerable private messages between clubs and users.
In other words, the risk wasn’t confined to a single poorly protected file. The flaw appeared to run across several layers of the system: image storage, user profiles, APIs, payments, administration, and messaging.
What cannot be confirmed, however, is whether anyone other than the researcher accessed this information or whether users were fortunate that he was the first to discover it and alert the authorities.
Data Breaches and the Responsibility of Those Who Store Our Information
The company was contacted by The Verge, but instead of providing an effective solution, it offered responses that did not appear to fully address the problem. Eventually, the company shut down the PuffPal app and several vulnerable APIs. The company said it had notified local authorities and was in contact with the Irish Data Protection Commission. Andreas Nilsen, co-founder of Nefos, told The Verge that the company was required to report the breach under European regulations and said it could face penalties.
The European Union’s General Data Protection Regulation requires that certain personal data breaches be reported to the competent authority without undue delay and, if possible, within 72 hours of the organization becoming aware of the incident.
Nilsen also attributed part of the technical responsibility to an outside company that reportedly developed PuffPal, although he acknowledged that ultimate responsibility lay with Nefos. According to the report, the company stated that it would not relaunch the app without an independent security review.
The company issued a statement saying that it had been notified by an independent researcher about vulnerabilities affecting PuffPal components; that it launched an investigation, implemented remedial measures, brought in technical specialists, and reviewed the affected systems.It also stated that, as a preventive measure, PuffPal and its associated backend services had been temporarily suspended while the review remained ongoing, and that the identified endpoints are no longer accessible.
Nevertheless, Cannabis Club Systems disputes the notion that there has been a confirmed public data breach. In the statement, the company insists on distinguishing between the “existence of a vulnerability,” the “potential ability to access information through that vulnerability,” and “verified evidence that information was extracted, distributed, or publicly disclosed.” According to the company, it has not identified any verified evidence that personal information has been published or distributed publicly, although the investigation into unauthorized access is still ongoing.
Why Our Information Is Important
Consumer habits are one of the cornerstones of the modern, capitalist, advertising-driven world we live in. We’re not the ones saying this, it’s literally what marketing is all about. Although it’s still unclear whether anyone actually accessed the information left unprotected by one of the software platforms most widely used by cannabis clubs, this data is private for good reason—and when such leaks occur, the risks can be immediate.
It’s a familiar situation these days: we download an app, sign up on a government website, and enter our date of birth, ID number, and credit card number when we want to buy a couple of tickets, or when we sign up for a cannabis association, book a beauty appointment, or rent a bike.
Our information floats around the internet, and that makes it more vulnerable than we’d like to realize. The thing is, your information and mine are worth a lot. Reports on underground data markets show that scanned documents, driver’s licenses, passports, account credentials, bank information, and even selfies holding an ID can be sold for tens, hundreds, or even thousands of dollars, depending on the type of data, the country, and how complete the package is.
It only makes sense that there is a growing fear around this type of data exposure and that it is becoming increasingly important for the companies we interact with to provide a level of security that actually protects users. In this case, the security failures were preventable.
If someone gains access to your passport, phone number, or address, that in itself poses a risk of fraud, identity theft, phishing, or extortion. But if that information also reveals that you visited a cannabis club, what products you consume, how often, or in which city, the problem is no longer just financial. It can also become an issue related to employment, immigration, family life, reputation, or legal exposure.
In an industry that still grapples with stigma, regulatory gray areas, and inequalities between countries, privacy is not a luxury: it is part of user safety. Many consumers agree to provide documents because the system requires them to do so in order to comply with age, membership, or traceability rules. But that trust comes with one basic condition: that the companies collecting that information protect it.
This case highlights an increasingly evident tension. The cannabis industry is becoming more professional, digitizing its access systems, automating records, and using apps, QR codes, profiles, and databases. But if that infrastructure grows faster than its cybersecurity standards, users end up paying the price.
This article was originally published on El Planteo.
