A security researcher says software used by cannabis clubs in Spain exposed nearly one million photo identification documents and other personal data through publicly accessible web addresses and weak application programming interfaces.
Sammy Azdoufal, known for previous research into vulnerable connected devices, told The Verge he found more than 985,000 IDs associated with Cannabis Club Systems, an Irish company also known as Nefos Solutions. The company provides sales, accounting, admissions, and verification tools for clubs. Its PuffPal app allowed faster entry by using QR codes linked to stored member records.
According to Azdoufal, passports, driver’s licenses, selfies, phone numbers, addresses, cannabis preferences, and consumption details could be retrieved without meaningful access controls. He said visitors from several countries were included, with Spain, Italy, France, South Africa, and Britain among the largest groups and about 30,000 users from the United States. The exposed records also reportedly included public figures.
The researcher said he found a payment platform key embedded in the app, member profiles accessible by changing numerical identifiers, and image files stored at predictable public URLs. He also reported an internet-facing admin portal, weak club passwords, and vulnerable private messages.
Nefos co-founder Andreas Nilsen told The Verge the company has contacted Ireland’s Data Protection Commission, shut down PuffPal and vulnerable APIs, and plans to notify affected users. He said there was no evidence that anyone other than Azdoufal accessed the data. The regulator confirmed contact with the company.
The response was not immediate. The report says Nefos initially restored access to some images after clubs reported service problems, then later closed additional profile-data vulnerabilities identified by Azdoufal. Nilsen attributed parts of the implementation to outsourcing firm 9Series, which did not comment before publication. He said Nefos expects penalties under EU data protection rules and will seek independent security review.