An App Just Exposed a Million Passports. Immigration Platforms Should Be Paying Close Attention.
Here's a sentence that shouldn't be possible in 2026: a security researcher joined a cannabis club in Barcelona, decompiled its companion app, and within days had pulled up more than 900,000 people's passports, national ID cards, and driver's licenses - just by changing a number in a URL.
No hacking. No stolen credentials. No exploit chain. Just a predictable web address and a server that would hand over anyone's full identity file to whoever asked.
The story, first reported in depth by Sean Hollister at The Verge, is worth reading in full. But it's also worth reading as a warning label for anyone building - or choosing - software that touches identity documents. Immigration platforms are exactly that kind of software, and the stakes there are categorically higher than a cannabis club membership list.
What actually happened
The backend in question, CCS Nube, is built by Cannabis Club Systems, a business unit of the Irish company Nefos Solutions. It's used by 377 cannabis clubs across more than 40 countries to manage memberships, identity verification, and payments. Security researcher Sammy Azdoufal - himself a member of a Barcelona club - decompiled PuffPal, an optional companion app for QR-code club entry, and found that the backend assigned members sequential ID numbers and returned complete profiles to anyone who sent a basic web request, no login required.
What he found sitting behind those unauthenticated URLs, according to his own count as reported by The Verge and corroborated by Boing Boing's coverage:
→ 1,082,680 member records
→ 923,543 passport or national-ID numbers
→ 985,841 identity-document photographs, including passports, national ID cards, and driver's licenses
→ Home addresses, phone numbers, dates of birth, and - specific to this platform - members' monthly cannabis consumption figures and strain preferences
He also found a live Stripe secret key hardcoded in plain text inside the app, Firebase credentials exposing push-notification tokens for over 25,000 accounts, and thousands of private member-to-club messages readable across unrelated accounts. Clubs were uploading roughly 5,000 new identity-document photos a day into this system. Azdoufal says the exposure reached members in more than 40 countries, including an estimated 30,000 U.S. citizens and more than 100,000 French citizens - plus, per his reporting, a number of public figures who evidently didn't expect their cannabis use to become a matter of public record.
The response is the part that should really concern you
Azdoufal reported the vulnerability to Nefos on April 22. He got no reply for 26 days - well past the 72-hour window the EU's GDPR requires for breach notification. When Nefos did act, it locked down the identity-document images, then reopened them on June 4 after clubs complained they could no longer see member photos at the front desk. The full PuffPal system wasn't taken offline until June 10, apparently only after it became clear The Verge was about to publish. Co-founder Andreas Nilsen has since said the company is cooperating with Ireland's Data Protection Commission, is parting ways with the outside developer that built the app, and expects a penalty.
In other words: given a straightforward choice between customer convenience and a known, live exposure of nearly a million people's passports, the company chose convenience - twice - before public pressure forced a full shutdown.
Why this matters beyond cannabis clubs
This isn't an isolated case. THSuite exposed roughly 30,000 U.S. cannabis customers' data in an unsecured cloud bucket back in 2020. The Stiiizy breach compromised passports and photos for more than 420,000 customers in 2025. Just weeks before the Nefos story broke, an unofficial UK visa portal left at least 100,000 passports and verification selfies sitting in a misconfigured cloud bucket. Identity-document collection has become routine across retail, hospitality, and government-adjacent services - and the security discipline required to handle it responsibly has not kept pace.
Immigration platforms sit at the sharpest edge of that gap. The documents involved - passports, national IDs, birth certificates, proof of relationship, employment records - aren't just sensitive in the abstract. For someone navigating an asylum claim, a VAWA petition, or an adjustment of status, a leaked identity document isn't a privacy inconvenience. Depending on the person's circumstances, it can mean exposure to an abuser, risk to family members still in a home country, identity theft that derails a pending case, or, in the worst scenarios, becoming a target for extortion or immigration fraud built on real, leaked documents.
That's a fundamentally different risk profile than a cannabis club membership list, and it deserves a fundamentally different security bar - not just "we use a cloud provider," but real, verifiable practices: no sequential or predictable resource IDs, no secrets hardcoded into client-side code, authorization checked at the object level on every request, and a breach-response plan that doesn't wait a month to answer a security researcher's email.
Where we land on this
It's part of why Fillvisa Free's defining constraint is that it never leaves the browser at all - there's no server to breach, no database of passport photos sitting behind a predictable URL, because there's no database. The data a person enters stays on their own device, full stop.
Fillvisa Plus is a different model by necessity - case management for professionals genuinely requires shared, cloud-based storage. But the Nefos case is a useful reminder of what that tradeoff actually costs if it's not taken seriously, and why "we're in the cloud" should never be treated as a finished security story rather than the start of one.
If you're evaluating any platform that will hold your clients' passports, IDs, or immigration case files - ours or anyone else's - it's worth asking directly: what happens if someone changes a number in a URL?
Fillvisa Free (fillvisa.com) is a fully client-side tool for filling out USCIS forms - nothing uploaded, no account required. Fillvisa Plus (plus.fillvisa.com) is our cloud-based case management platform for immigration professionals.
Sources
Sean Hollister, The Verge, "Nearly a million passports and photo IDs were left unprotected on the public internet" - theverge.com
Boing Boing, "A million passports leaked online by marijuana club portal" - boingboing.net
Daring Fireball, summary and commentary on The Verge's reporting - daringfireball.net
Newsweed, "Data leak: one million Cannabis Club members exposed online" - newsweed.fr
High Times, "Cannaleaks: Nearly One Million Cannabis Club Users' Data Was Exposed" - hightimes.com