Full Report
A database of almost a million passports from around the world was leaked online. Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.
Analysis Summary
# Incident Report: Global Passport Data Leak via Cannabis ID Verification
## Executive Summary
A database containing approximately 985,000 passport images and government IDs was found exposed on the public internet without authentication. The breach originated from a third-party API vulnerability used by the software company Nefos to verify customer identities for cannabis dispensaries. The incident highlights the high risk of using "high-value" credentials (passports) in "low-value" ancillary systems with poor security posture.
## Incident Details
- **Discovery Date:** Approximately April 2026 (Reported as 2 months old by June 26, 2026)
- **Incident Date:** Ongoing until discovery in 2026
- **Affected Organization:** Nefos (via third-party developer 9series)
- **Sector:** Technology / Cannabis Retail Services
- **Geography:** Global (Impacted Ireland's DPC; data from around the world)
## Timeline of Events
### Initial Access
- **Date/Time:** Specific start date unknown; discovery publicized June 2026.
- **Vector:** Exploitation of vulnerable APIs and misconfigured public-facing storage.
- **Details:** Security researcher Sammy Azdoufal discovered nearly one million photo IDs stored on an open server with no password protection or encryption.
### Lateral Movement
- **Details:** Not applicable in the traditional sense; the vulnerability was a direct exposure of a data repository rather than a breach of a secured perimeter requiring movement.
### Data Exfiltration/Impact
- **Details:** 985,000 digital copies of passports and driver's licenses were accessible to any party with the URL. The data was collected for age verification at cannabis dispensaries.
### Detection & Response
- **Discovery:** Discovered by independent security researcher Sammy Azdoufal.
- **Response Actions:** Nefos contacted Ireland’s Data Protection Authority (DPC). The company announced plans to terminate its relationship with the developer (9series) responsible for the vulnerable APIs.
## Attack Methodology
- **Initial Access:** Publicly accessible API/Server via the open internet.
- **Persistence:** Not required; data was persistently exposed due to misconfiguration.
- **Privilege Escalation:** None; no authentication existed to escalate from.
- **Defense Evasion:** None; the system lacked basic monitoring or access controls.
- **Credential Access:** Direct theft of primary identity documents (Passports/DLs).
- **Discovery:** Open-source intelligence (OSINT) and web scanning by a researcher.
- **Lateral Movement:** N/A.
- **Collection:** Automated scraping/access of the unprotected repository.
- **Exfiltration:** Direct download of image files from the exposed server.
- **Impact:** Total loss of confidentiality for nearly 1,000,000 high-value identity documents.
## Impact Assessment
- **Financial:** Potential significant GDPR/EU law penalties for failing to disclose the breach within 72 hours.
- **Data Breach:** ~985,000 passport and ID images.
- **Operational:** Termination of vendor contracts (9series) and ongoing regulatory oversight.
- **Reputational:** Severe damage to trust in cannabis-related ID verification services and Nefos’s brand.
## Indicators of Compromise
- **Network indicators:** hxxps[://]github[.]com/xn0tsa/because-i-got-high (Researcher analysis repository)
- **Behavioral indicators:** Large-scale outbound traffic from ID storage buckets to unauthorized IP addresses; API calls originating from non-authorized sources.
## Response Actions
- **Containment:** Secured the exposed server/API (implied).
- **Eradication:** Terminating the partnership with the third-party developer (9series) who built the vulnerable infrastructure.
- **Recovery:** Coordinating with the Ireland Data Protection Authority (DPC) to formalize a victim notification process.
## Lessons Learned
- **High-Value Data in Low-Value Systems:** Governments and businesses are increasingly requiring "Know Your Customer" (KYC) data, but the security of the collectors often does not match the value of the data collected.
- **Third-Party Risk:** Nefos relied on a third-party developer (9series) whose poor coding practices (vulnerable APIs) led to the breach.
- **Regulatory Failure:** The failure to report the breach within the mandatory 72-hour window (GDPR) indicates a lack of an Incident Response plan.
## Recommendations
- **Encryption at Rest:** All identity documents must be encrypted at rest using industry-standard protocols.
- **Vendor Risk Management:** Conduct rigorous security audits of third-party developers and APIs before integration.
- **Zero-Knowledge Proofs:** Explore technologies that verify age without requiring the storage of a full passport image.
- **Defense in Depth:** Implement strict IAM (Identity and Access Management) and ensure no production data is stored in publicly accessible buckets or unauthenticated APIs.