Ethical Hacking News
Nearly 1 million passports and photo IDs were left unprotected on public internet servers, posing a significant risk to personal data and identity theft. The revelation has sparked calls for improved data security measures.
Thousands of passports and photo IDs have been left unprotected on public internet servers. A vulnerability was discovered by security researcher Sammy Azdoufal, who used his tool Claude Code to uncover the exposed data. The affected individuals include celebrities, cannabis club visitors, and those visiting a particular Irish company called Cannabis Club Systems (CCS). The PuffPal app's APIs were vulnerable to exploitation, allowing hackers to access sensitive information. CCS has acknowledged the issue, locked down passport images, and implemented token-based security measures, but some information remains accessible. CCS has announced it will no longer support the PuffPal app due to concerns over data retention and security.
In recent months, a staggering number of passports and photo IDs have been left unprotected on public internet servers, posing a significant risk to personal data and identity theft. The revelation has sparked widespread concern and calls for improved data security measures.
According to reports, the vulnerability was discovered by security researcher Sammy Azdoufal, who used his tool Claude Code to uncover the exposed data. The list of affected individuals includes celebrities, cannabis club visitors from around the world, and even those visiting a particular Irish company called Cannabis Club Systems (CCS), which develops software for cannabis clubs.
The problem lies with the PuffPal app, created by outsourcing firm 9Series, which was used by CCS to verify members' identities. Azdoufal discovered that the app's APIs were vulnerable to exploitation, allowing hackers to access sensitive information such as passport numbers, phone numbers, and home addresses.
CCS, the company behind the PuffPal app, has acknowledged the issue and is taking steps to address it. The company claims to have locked down the passport images and implemented token-based security measures. However, Azdoufal discovered that even after these changes were implemented, other sensitive information remained accessible.
In an effort to rectify the situation, CCS has announced that it will no longer support the PuffPal app, citing concerns over data retention and security. The company has also parted ways with 9Series, the outsourcing firm responsible for developing the vulnerable app.
This incident serves as a wake-up call for data security, highlighting the need for robust protection measures to safeguard sensitive information. As technology advances, it is essential that companies prioritize data security, ensuring that personal identifiable information remains protected from exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/Nearly-a-Million-Passports-and-Photo-IDs-Exposed-Online-A-Wake-Up-Call-for-Data-Security-ehn.shtml
https://www.theverge.com/tech/947157/passports-data-breach-cannabis-club-systems-nefos-puffpal
Published: Wed Jun 10 20:53:23 2026 by llama3.2 3B Q4_K_M
