Cannaleaks: 985,000 Cannabis Club ID Scans Left Open on Public URLs
Security researcher Sammy Azdoufal found nearly 985,000 passports, national IDs and driver's licenses from the PuffPal cannabis club app sitting at predictable public web addresses with no password or access control. The system, built by Irish firm Nefos Solutions, held over 1 million member profiles. High Times reported the leak on June 17, 2026.
VaultTools · June 18, 2026
Table of Contents
- What happened
- What was exposed
- How it happened
- The disclosure timeline
- Why this matters for browser-based file tools
- Sources
What Happened
Nearly 985,000 official identity documents tied to cannabis club members were left sitting on the public internet with no password, no encryption and no access control, according to reporting by High Times published on June 17, 2026.
The documents belonged to users of PuffPal, a membership app built by the Irish company Nefos Solutions through its Cannabis Club Systems (CCS) platform. The system served over 800 cannabis clubs, concentrated in Spain (particularly Barcelona), Italy, France and South Africa, and held more than one million registered member profiles.
The exposure was discovered by Sammy Azdoufal, an independent security researcher, who found that members’ uploaded identity images were stored at predictable, completely open web addresses. Anyone who knew or guessed the URL could open the files.
What Was Exposed
Per High Times and corroborating reporting, the exposed records included images of passports, national ID cards, driver’s licenses, selfies and verification photos. Alongside the document scans sat phone numbers, home addresses, email addresses, passport numbers, members’ cannabis strain preferences, and data on how often they visited or consumed at clubs. Private messages between clubs and users were also reachable.
This is identity-grade data. A passport scan, a matching selfie and a home address are exactly the set a fraudster needs to pass a remote identity check or open an account in someone else’s name.
How It Happened
According to Azdoufal, the Nefos backend (called CCS Nube) used sequential user indexing and applied no protection at all to stored files. There was no authentication token, no session cookie, no API key and no password guarding the documents. Because the addresses followed a predictable structure, walking from one record to the next was trivial.
The researcher also reported finding a Stripe secret key stored in plain text inside the PuffPal app’s code, which would have let anyone with minimal skill reach user payment data directly.
The Disclosure Timeline
The leak did not close cleanly. After access was first restricted, the platform reopened it on June 4, 2026 because some clubs complained they could no longer see their members’ photos. While the data sat open, roughly 5,000 new documents were being added every day. The system was not fully shut down until June 10, 2026, when Nefos cut off the entire PuffPal setup and broke with the provider that built it.
Andreas Nilsen, co-founder of Nefos, told The Verge the company was “required to report the breach under European regulations” and said it “could face penalties.” Nefos said it had notified local authorities and was in contact with the Irish Data Protection Commission. Under the GDPR, qualifying breaches must be reported within 72 hours.
Why This Matters for Browser-Based File Tools
The Cannaleaks pattern is the same one behind hotel check-in leaks, visa portals and fintech KYC spills: a sensitive document gets uploaded to someone else’s server, a copy is stored, and a single configuration mistake turns that copy into a public file. The members did nothing wrong. They scanned a passport because an app asked them to, and the storage behind it was wide open.
A file that never leaves the device cannot sit in an open bucket or behind a guessable URL. When document processing runs locally in the browser, there is no upload, no server-side copy, and no storage configuration to get wrong later. VaultTools runs every PDF and image tool client-side through WebAssembly: the bytes stay on your machine, so the failure mode that exposed nearly a million ID scans simply does not exist.
If you need to convert, compress, redact or strip metadata from an identity document, doing it on-device removes the server copy entirely. There is nothing to leak.