> Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.
Why do these systems hold onto user's data post verification?
I have a story about this, although it's a bit convoluted and not entirely related. But it does showcase low-value usecase compromising a high-value auth mechanism.
I was working on a project, client is a Real Estate agency, they use a CRM where they upload houses and it in turn uploads it to various sites like Zillow. We needed a list of their listed houses, so we wanted to use that data source instead of making a CRUD where they have to add houses yet again.
We ask the CRM sales team about APIs, they tell us that there's no accounts for third parties, client accounts have APIs, so we have to ask the client for an API key (or for their account password).
Which makes sense in general I guess, but the data is public in our case, so the CRM sales staff 's idea was that we should ask the client to let us access their account in order to get public data. We proceeded to scrape the houses from a website like Zillow like cavemen.
As it happens, our project was ancilliary low-value. So I don't doubt that the clients of this CRM are vulnerable in a similar way, and the root cause of the issue isn't evident at all, I can see 2:
1- Paradoxically, having an API that always requires an API KEY (as opposed to allowing unauthenticated access for public data) is less secure, as credentials/tokens will be used more often when not necessary.
2- This CRM effectively acted as an aggregator, consuming the APIs to publish to other vendors, but they don't provide an API for other vendors to read data from them. This effectively causes third party vendors to authenticate as the client, which is just incorrect. Credentials should identify a person/group, not a usecase.
This is a really great story. It is super short and understandable, and nails the point that just falling into the default case of authenticating everything can hurt security. If someone was teaching a some sort of software engineering seminar, they should totally steal it.
I'm not sure how it works in the EU, but in the US, most states have a "PMP" (prescription monitoring program) that tracks the sale of marijuana in many states (nevermind that its not an actual prescription, but it is a controlled substance) and viewable by your doctor back up to ~12 months or so. Most people don't know this however and think it works like alcohol sales where it's sold after ID verification and then everyone forgets about it. Some states treat marijuana sales like prescription drug dispensing, it has to be reported to a central database including the intimate details of the persons involved. I have no idea if this is the case in Spain, however.
It's not like this in USA for cannabis. States with medical programs issue medical cards and the dispensary uses that as the only form of ID. For adult-recreational the dispensary can choose their ID verification system. Many use ID scanners connected to their online POS provider. The State run system doesn't track retail sales to an individual.
OMG, I forgot that AZ and VT have very unique programs. Basically everyone else is on BioTrack or Metrc which are dedicated cannabis "track and trace" - ex-pharmacy infrastructure
Why wouldn't they? There are probbaly significant downsides if they fail an audit requirement, and they're probably mandated to retain records for some period, with no consequences to extended retention.
Set up a system so that it costs you nothing to do a bad thing but possibly wrecks you legally and financially to do the good thing, and people will inevitably do the bad thing. They shouldn't be collecting this information in the first place.
The people who design these policies are incapable of actually building things that work. They are not the intelligent, competent leaders exercising a careful craft that they like to pretend they are.
They keep going after age verification, online ID, central bank digital currencies, etc - keep this incident in mind. The people who implement and write these policies are morons. They don't game things out and plan for redundancy or resiliency. They don't take into account bad faith actors. They don't account for deliberate exploitation of the system.
They most likely weren't allowed to keep it past the verification per GDPR art.5. Once the passport has been verified for whatever purpose they needed it ("age verified to be > 18yo on 2026-06-12" or "identity verified to be XXXX YYYY"), there is no legitimate use for the passport photo and details anymore, and they should delete it.
(I'm naive in this area, but..) I wonder if the various "proof of age" laws coming into play will clash with the GDPR in insidious ways. Like requiring identity providers to hold definitive "proof" of why they made an assessment rather than merely proving and discarding. I assume/hope there is some cryptographic way to do this rather than hang on to passport and ID images, however.
There are established ways / protocols to hold and provide cryptographically valid proof of a verification process, without any need to keep the actual id images in any storage. And to my knowledge there is no requirement for compliant KYC (Know your customer) to provide their ID as a proof as long as the verification process itself is compliant and audited in accordance to certain criteria.
You can compare this in a certain way to file hashes. A successful verification with a predefined minimum level of credibility can be encrypted to a special string for later being used, if a service needs to verify the person again. It doesn't matter then, that the original passport images or video ident has been deleted the second after id verification has been completed.
There's a law forbidding storage beyond necessary minimum and law punishing such behaviour unless another law necessitated storage of the original document in the unsecured, unencrypted form. Doubtful.
There's also laws mandating secure systems design.
Separately there's no _need_ to store the original document if the verification system is sound (and audit real, not some phony crap like in some of the scandals posted here on HN).
If you need to prove you sold to real people, storing their credentials is a necessary thing, for as long as your need to prove that. At least with the way things currently are.
How else do you expect it to work? ‘Honest, we checked’ checkboxes?
Much as passports are very important for proving identity etc, people who travel have had their passport scanned, photographed or photocopied by pretty much every hotel they've stayed in. I'm not sure the shoebox in the backroom in Koh Samui with the photocopies in constitutes good storage hygiene protocols.
How that doesn't turn into rampant identity theft I don't know, or maybe it does? Not, happily, for me... yet.
the whole "not being an automatable remote sql injection away from everything" quality of physical objects grants a filing cabinet a tremendous amount of inherent security compared to anything digital.
Not sure if they're still doing this, but as of a few years ago, the IRS was still using literal trucks full of tapes to transport data to backup facilities. Tapes are good for this because they don't degrade as quickly as hard drives, so if you're actually looking to do archival storage that will outlast the cloud provider of the decade, they are surprisingly practical.
I am working on hotel software. And we are doing an automated kiosk check in with identity scanning. I’m seriously stressed about holding on to this kind of toxic waste. I am trying to limit it as much as possible. For example throwing away scans as fast as possible (within regulatory allowances). But I would love to hear any ideas anyone has in terms of further security. Obviously the documents are not just on a public bucket. But I’m considering maybe encrypting each document with a separate key, or something along those lines.
Encrypt the data with an asymmetric key; and keep the decryption key somewhere offline. You can get a hardware token to store the key on (I think a yubikey can do this).
My guess is that the machine readable chip standards and the production quality required to replicate a physical passport are high enough that only the most organized of organized crime can fake the highest value passports effectively, and if a passport is easy to replicate, it is less likely to have visa free access to most countries.
To second the photographed/photocopied requirements, as an expat, I am frequently asked to send a scan of my passport to people or entities that are not necessarily the most secure.
I also have a couple of important documents that are literally PDFs. My Canadian citizenship certificate is a PDF with a barcode in it, that I can print off a copy of if I need to mail it, or show on my phone to a consular office or a border guard if needed. My work visa here in New Zealand is a PDF with my passport number and a visa number, which my workplace and bank checked with an online database. Fundamentally, these and my passport are pointers to a row in various databases.
AFAIK not all NFC-enabled passports support Active Authentication. E.g least before US passports did not support it so cloning them is as easy as reading them via NFC.
So you cant fake non-existing passport because of issuer signature, but cloning is not a rocket science for many countries passports.
Stealing a shoebox of photocopied passports from every hotel in the city sounds like way more work and way riskier than downloading an already aggregated trove of digital data.
Ok, how about the google photos archive from the hotel next door with 1000s of pictures of passports taken on the shared unlocked $100 android phone that sits on the front desk? Not millions I grant you, but again, there doesn't seem to be an issue with active exploitation of these.
There is an issue with active exploitation of passports, of course the scale can change. Due to banking KYC / other KYC laws there's a market for these copied identities and of course so criminals don't even get a speedbump by KYC whereas the boot is used up the ass of the normal person trying to pass KYC when they're missing some stupid document like proof of address.
The lack of security is one thing, but why have they retained the information at all!
iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).
Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.
In case you want to retrieve your test scores 10 years after you took it. They need some way to uniquely identify you. Sure, they could have given you a specific test taker ID, but what if you lost that? They could have created a way for you to log in with an e-mail address, but what if you changed e-mail addresses?
You might think "Why would I need my test scores from 10+ years ago?", but my wife just started a job and they demanded her college transcripts to prove she went there...over 20 years ago.
I was appalled when renewing my car this year that I now need a Texas by Texas account (https://www.texas.gov/texas-by-texas/), which wants... a social security number because why?!?!
I've had stuff like this happen too, and always wondered if they really leaked my data or were just notifying everyone whose data they possibly leaked.
I'm not american, but the idea that your SSN, which is effectively a (federal) unique identifier for a person, would be secret, is very foreign.
In most countries, like most databases, our primary keys do not hold an expectation of secrecy.
I would even argue that the expectation of secrecy is what creates it's secret semantics, that is, it's secret because you make it secret. I get that it's a collective action thing, if you just publish your own SSN, a bank in another state might not be aware it's a public thing for YOU, and might open an account for a stranger.
Interestingly enough, for corporations, their identifiers, EIN, are not assumed to be private, in many states these are available through the DoS public records. So it turns out the system works just fine if you make the ID of a person (juristic or legal) public.
100s of millions have definitely been exposed already. The best defence is probably to be a baby so your risk window is minimal. I haven't been able to pull that off personally, so I follow the other recommended piece of advice which is to keep your credit checks permanently frozen with the agencies and only temporarily thaw it for specific usages.
> Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
Might KYC laws and general CYA policies prefer to keep the proof of age? For instance to protect e.g. against a minor altering the date on their passport. Especially in such a regulated industry.
The EDPB has explicitly ruled on that, when it comes to age verification^1, you should delete: "Trust models are crucial to prevent data breaches in age assurance contexts [...] once the user's age is verified, no record of the personal data used for the age assurance process is kept".
> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.
I cannot imagine the level of fines under GDPR for leaking that much PII
Is it requirement to retain the documents? Many are waiting for gatekeeper tech companies to organise around attestation rather than submission to third parties. I hope they are making progress.
I had to receive a letter from France (I'm not french, I don't live in France, but we've got family real estate there). To be able to open this letter, online (!), I had to scan my EU ID card, tilt it, and scan my face (pointing at the camera, looking to the left, etc.).
We're talking about a major french institution here, either public or private but colluding with the government to have their monopoly (don't know, don't care: they're all the same worms to me).
Speaking of which... There's been a recent case in France where a very nice lady working for some public institution (basically the IRS) was giving the name/wealth of "targets" to her brother so that her brother and his friends could go and kidnap/torture (fingers of victims have been cut) family members of rich french persons.
It's sickening and the real culprits are those creating the laws mandating this full on surveillance apparatus.
> Zero password protection on document storage systems
>
> No encryption for sensitive identity verification data
>
> Public URL access with no authentication requirements
>
> No access logging or monitoring systems in place
Pretty much the bingo of secure storage, even CTF demos make it less obvious. Storing a document that they have no business keeping in the first place, with no security whatsoever.
So much of our information is being leaked nowadays that news like these don’t surprise me anymore…
I think everyone should understand that if they truly want something private, storing it offline or destroying it completely, are the only safer options.
Any sort of convenience to access said data, is a possible surface of attack.
> It's ok to post stories from sites with paywalls that have workarounds.
> In comments, it's ok to ask how to read an article and to help other users do so. But please don't post complaints about paywalls. Those are off topic. More here.
It was written by the Verge, and this Cambridge summary admits that (the first paragraph "journalist" is the original author at the Verge).. perhaps we can go back to original source? It's been submitted twice.
80 comments:
Is this the CA from FB fame? https://en.wikipedia.org/wiki/Cambridge_Analytica? If so how come they still exist?
No, it looks like the domain was taken over by squatters after CA went defunct in 2018, and they're currently using it for AI-generated "content".
Yeah, I almost closed my tab and burnt my browser realizing that.
> PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe.
At least we’re keeping the children safe though by verifying ages. It’s worth giving up privacy for that…
> Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.
Why do these systems hold onto user's data post verification?
In a word: complaints.
It’s somewhat understandable but also part of the problem.
I have a story about this, although it's a bit convoluted and not entirely related. But it does showcase low-value usecase compromising a high-value auth mechanism.
I was working on a project, client is a Real Estate agency, they use a CRM where they upload houses and it in turn uploads it to various sites like Zillow. We needed a list of their listed houses, so we wanted to use that data source instead of making a CRUD where they have to add houses yet again.
We ask the CRM sales team about APIs, they tell us that there's no accounts for third parties, client accounts have APIs, so we have to ask the client for an API key (or for their account password).
Which makes sense in general I guess, but the data is public in our case, so the CRM sales staff 's idea was that we should ask the client to let us access their account in order to get public data. We proceeded to scrape the houses from a website like Zillow like cavemen.
As it happens, our project was ancilliary low-value. So I don't doubt that the clients of this CRM are vulnerable in a similar way, and the root cause of the issue isn't evident at all, I can see 2:
1- Paradoxically, having an API that always requires an API KEY (as opposed to allowing unauthenticated access for public data) is less secure, as credentials/tokens will be used more often when not necessary.
2- This CRM effectively acted as an aggregator, consuming the APIs to publish to other vendors, but they don't provide an API for other vendors to read data from them. This effectively causes third party vendors to authenticate as the client, which is just incorrect. Credentials should identify a person/group, not a usecase.
This is a really great story. It is super short and understandable, and nails the point that just falling into the default case of authenticating everything can hurt security. If someone was teaching a some sort of software engineering seminar, they should totally steal it.
I'm not sure how it works in the EU, but in the US, most states have a "PMP" (prescription monitoring program) that tracks the sale of marijuana in many states (nevermind that its not an actual prescription, but it is a controlled substance) and viewable by your doctor back up to ~12 months or so. Most people don't know this however and think it works like alcohol sales where it's sold after ID verification and then everyone forgets about it. Some states treat marijuana sales like prescription drug dispensing, it has to be reported to a central database including the intimate details of the persons involved. I have no idea if this is the case in Spain, however.
It's not like this in USA for cannabis. States with medical programs issue medical cards and the dispensary uses that as the only form of ID. For adult-recreational the dispensary can choose their ID verification system. Many use ID scanners connected to their online POS provider. The State run system doesn't track retail sales to an individual.
Medical marijuana is linked to the PMP in my state.
https://azcir.org/news/2025/04/10/are-az-medical-marijuana-c...
OMG, I forgot that AZ and VT have very unique programs. Basically everyone else is on BioTrack or Metrc which are dedicated cannabis "track and trace" - ex-pharmacy infrastructure
EU is not a country and the laws covering illicit substances vary wildly between member states.
How’s that any different than the US? States determine what they can do.
Why wouldn't they? There are probbaly significant downsides if they fail an audit requirement, and they're probably mandated to retain records for some period, with no consequences to extended retention.
Set up a system so that it costs you nothing to do a bad thing but possibly wrecks you legally and financially to do the good thing, and people will inevitably do the bad thing. They shouldn't be collecting this information in the first place.
The people who design these policies are incapable of actually building things that work. They are not the intelligent, competent leaders exercising a careful craft that they like to pretend they are.
They keep going after age verification, online ID, central bank digital currencies, etc - keep this incident in mind. The people who implement and write these policies are morons. They don't game things out and plan for redundancy or resiliency. They don't take into account bad faith actors. They don't account for deliberate exploitation of the system.
> Why wouldn't they?
They most likely weren't allowed to keep it past the verification per GDPR art.5. Once the passport has been verified for whatever purpose they needed it ("age verified to be > 18yo on 2026-06-12" or "identity verified to be XXXX YYYY"), there is no legitimate use for the passport photo and details anymore, and they should delete it.
(I'm naive in this area, but..) I wonder if the various "proof of age" laws coming into play will clash with the GDPR in insidious ways. Like requiring identity providers to hold definitive "proof" of why they made an assessment rather than merely proving and discarding. I assume/hope there is some cryptographic way to do this rather than hang on to passport and ID images, however.
There are established ways / protocols to hold and provide cryptographically valid proof of a verification process, without any need to keep the actual id images in any storage. And to my knowledge there is no requirement for compliant KYC (Know your customer) to provide their ID as a proof as long as the verification process itself is compliant and audited in accordance to certain criteria.
You can compare this in a certain way to file hashes. A successful verification with a predefined minimum level of credibility can be encrypted to a special string for later being used, if a service needs to verify the person again. It doesn't matter then, that the original passport images or video ident has been deleted the second after id verification has been completed.
>Why wouldn't they? There are probbaly significant downsides if they fail an audit requirement,
Right, and keeping old passports used for verification should cause an audit to fail.
Not if there is no law about it.
If there is a law about verifying buyers, how else are they going to pass that audit?
There's a law forbidding storage beyond necessary minimum and law punishing such behaviour unless another law necessitated storage of the original document in the unsecured, unencrypted form. Doubtful.
There's also laws mandating secure systems design.
Separately there's no _need_ to store the original document if the verification system is sound (and audit real, not some phony crap like in some of the scandals posted here on HN).
If you need to prove you sold to real people, storing their credentials is a necessary thing, for as long as your need to prove that. At least with the way things currently are.
How else do you expect it to work? ‘Honest, we checked’ checkboxes?
Much as passports are very important for proving identity etc, people who travel have had their passport scanned, photographed or photocopied by pretty much every hotel they've stayed in. I'm not sure the shoebox in the backroom in Koh Samui with the photocopies in constitutes good storage hygiene protocols.
How that doesn't turn into rampant identity theft I don't know, or maybe it does? Not, happily, for me... yet.
the whole "not being an automatable remote sql injection away from everything" quality of physical objects grants a filing cabinet a tremendous amount of inherent security compared to anything digital.
Much like that old quip about the bandwidth of a vehicle full of tapes: "Never underestimate the at-rest security of a room full of filing cabinets."
Friction and delay have always been aspects of security.
Not sure if they're still doing this, but as of a few years ago, the IRS was still using literal trucks full of tapes to transport data to backup facilities. Tapes are good for this because they don't degrade as quickly as hard drives, so if you're actually looking to do archival storage that will outlast the cloud provider of the decade, they are surprisingly practical.
Does tape still burn really easily?
Or has that been fixed?
Compared to what what option, clay tablets of cuneiform? :p
In terms of significant danger, perhaps you're thinking of nitrocellulose movie film that was phased out in the '50s.
Nothing says “we’re watching you” like the wifi password at the hotel I stayed at in Shanghai being my passport number.
I am working on hotel software. And we are doing an automated kiosk check in with identity scanning. I’m seriously stressed about holding on to this kind of toxic waste. I am trying to limit it as much as possible. For example throwing away scans as fast as possible (within regulatory allowances). But I would love to hear any ideas anyone has in terms of further security. Obviously the documents are not just on a public bucket. But I’m considering maybe encrypting each document with a separate key, or something along those lines.
Encrypt the data with an asymmetric key; and keep the decryption key somewhere offline. You can get a hardware token to store the key on (I think a yubikey can do this).
My guess is that the machine readable chip standards and the production quality required to replicate a physical passport are high enough that only the most organized of organized crime can fake the highest value passports effectively, and if a passport is easy to replicate, it is less likely to have visa free access to most countries.
To second the photographed/photocopied requirements, as an expat, I am frequently asked to send a scan of my passport to people or entities that are not necessarily the most secure.
I also have a couple of important documents that are literally PDFs. My Canadian citizenship certificate is a PDF with a barcode in it, that I can print off a copy of if I need to mail it, or show on my phone to a consular office or a border guard if needed. My work visa here in New Zealand is a PDF with my passport number and a visa number, which my workplace and bank checked with an online database. Fundamentally, these and my passport are pointers to a row in various databases.
AFAIK not all NFC-enabled passports support Active Authentication. E.g least before US passports did not support it so cloning them is as easy as reading them via NFC.
So you cant fake non-existing passport because of issuer signature, but cloning is not a rocket science for many countries passports.
Stealing a shoebox of photocopied passports from every hotel in the city sounds like way more work and way riskier than downloading an already aggregated trove of digital data.
Ok, how about the google photos archive from the hotel next door with 1000s of pictures of passports taken on the shared unlocked $100 android phone that sits on the front desk? Not millions I grant you, but again, there doesn't seem to be an issue with active exploitation of these.
There is an issue with active exploitation of passports, of course the scale can change. Due to banking KYC / other KYC laws there's a market for these copied identities and of course so criminals don't even get a speedbump by KYC whereas the boot is used up the ass of the normal person trying to pass KYC when they're missing some stupid document like proof of address.
The lack of security is one thing, but why have they retained the information at all!
iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).
Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.
It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.
10 years after I took the ACT, I received a letter from a university that I never went to, saying my SSN was leaked.
WHY THE F**k ARE THEY HOLDING ON TO THAT 10 YEARS LATER!?!?!?
Of course now I know better than to give out my SSN to anyone who asks for it, but I didn't know that as a teenager.
Until stupid s**t like this becomes illegal, it will just keep continuing.
The real answer?
In case you want to retrieve your test scores 10 years after you took it. They need some way to uniquely identify you. Sure, they could have given you a specific test taker ID, but what if you lost that? They could have created a way for you to log in with an e-mail address, but what if you changed e-mail addresses?
You might think "Why would I need my test scores from 10+ years ago?", but my wife just started a job and they demanded her college transcripts to prove she went there...over 20 years ago.
I think the issue here is that it was the university, not ACT. ACT has a valid reason for holding it. A university he never went to does not.
Identify the student by full name, dob, date of admission, career, etc. It takes 5 minutes instead of one.
The problem here is using a username (the ID) as a password (security check)
Don't be so hard on 17-ish-year-old you. What exactly were you supposed to do? Not take the ACT (and probably not get into your desired college)?
This is a real problem.
I was appalled when renewing my car this year that I now need a Texas by Texas account (https://www.texas.gov/texas-by-texas/), which wants... a social security number because why?!?!
Anyway, yet another data breach incoming.
I'd hope that there's an in-person option for renewal. Maybe people without a data plan don't exist anymore?
Ask if it’s required, instead of assuming it is, is the point.
Modern equivalent “move over here for your picture ‘for the doctor’.”
No thanks, I’d like to opt-out!
I've had stuff like this happen too, and always wondered if they really leaked my data or were just notifying everyone whose data they possibly leaked.
I'm not american, but the idea that your SSN, which is effectively a (federal) unique identifier for a person, would be secret, is very foreign.
In most countries, like most databases, our primary keys do not hold an expectation of secrecy.
I would even argue that the expectation of secrecy is what creates it's secret semantics, that is, it's secret because you make it secret. I get that it's a collective action thing, if you just publish your own SSN, a bank in another state might not be aware it's a public thing for YOU, and might open an account for a stranger.
Interestingly enough, for corporations, their identifiers, EIN, are not assumed to be private, in many states these are available through the DoS public records. So it turns out the system works just fine if you make the ID of a person (juristic or legal) public.
I think every SSN is already leaked and government is doing nothing. I tried to change SSN and they told me it is not possible.
100s of millions have definitely been exposed already. The best defence is probably to be a baby so your risk window is minimal. I haven't been able to pull that off personally, so I follow the other recommended piece of advice which is to keep your credit checks permanently frozen with the agencies and only temporarily thaw it for specific usages.
https://www.upguard.com/breaches/social-insecurity-billions-...
The EDPB has explicitly ruled on that, when it comes to age verification^1, you should delete: "Trust models are crucial to prevent data breaches in age assurance contexts [...] once the user's age is verified, no record of the personal data used for the age assurance process is kept".
^1: https://www.edpb.europa.eu/system/files/documents/2025-04/ed..., number 36.
Thank you.
Oh god that’s pretty bad
> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.
I cannot imagine the level of fines under GDPR for leaking that much PII
The EU's verification laws will ensure much more of these leaks in the future, and therefore much more fines
Is it requirement to retain the documents? Many are waiting for gatekeeper tech companies to organise around attestation rather than submission to third parties. I hope they are making progress.
How so, are you purely speculating or you found a hole in the zero knowledge proof system some countries are implementing ?
He's stating the obvious
Yep… not sure about more fines, but for sure more leaks
I had to receive a letter from France (I'm not french, I don't live in France, but we've got family real estate there). To be able to open this letter, online (!), I had to scan my EU ID card, tilt it, and scan my face (pointing at the camera, looking to the left, etc.).
We're talking about a major french institution here, either public or private but colluding with the government to have their monopoly (don't know, don't care: they're all the same worms to me).
Speaking of which... There's been a recent case in France where a very nice lady working for some public institution (basically the IRS) was giving the name/wealth of "targets" to her brother so that her brother and his friends could go and kidnap/torture (fingers of victims have been cut) family members of rich french persons.
It's sickening and the real culprits are those creating the laws mandating this full on surveillance apparatus.
The governments want to retain their abilities to target people for kidnapping/finger-lopping.
Show me the consequences. I hear there are supposed to be repercussions, but these asshats never seem to pay for their crimes.
> Zero password protection on document storage systems > > No encryption for sensitive identity verification data > > Public URL access with no authentication requirements > > No access logging or monitoring systems in place
Pretty much the bingo of secure storage, even CTF demos make it less obvious. Storing a document that they have no business keeping in the first place, with no security whatsoever.
Remember that there is no such thing as identity theft. There is just fraud. You weren't involved at all.
> No hacking was required—documents were accessible through direct URLs with zero authentication or encryption.
You would be surprised what some courts already count as hacking
I am sure even my passport would be part of the breach, are the passport holders beign notified of the breach?
So much of our information is being leaked nowadays that news like these don’t surprise me anymore…
I think everyone should understand that if they truly want something private, storing it offline or destroying it completely, are the only safer options.
Any sort of convenience to access said data, is a possible surface of attack.
Do the laws that mandate identity verification set security standards that the websites which collect and verify the data must meet?
This is the best one. Not a shady company website, or a paywalled site:
https://boingboing.net/2026/06/28/a-million-passports-leaked...
Damn, we even got passport leaks before GTA 6.
Could we update the link to the original article? https://cambridgeanalytica.org/data-breaches-scandals/passpo...
CA article is just AI;dr on a two week old Verge article: https://www.theverge.com/tech/947157/passports-data-breach-c...
Ok, then changing the link to the verge article. Thanks for pointing that out
The verge is not a good source as it's pay walled
From the HN FAQ:
> Are paywalls ok?
> It's ok to post stories from sites with paywalls that have workarounds.
> In comments, it's ok to ask how to read an article and to help other users do so. But please don't post complaints about paywalls. Those are off topic. More here.
https://news.ycombinator.com/newsfaq.html
You can pay for the paywall, or there are ways around.
Wow it's insane that Cambridge Analytica is still around after the scandals.
They dissolved and reconstituted as Emerdata. This domain was squatted.
Ok, let's use that and put the other two in the toptext.
It was written by the Verge, and this Cambridge summary admits that (the first paragraph "journalist" is the original author at the Verge).. perhaps we can go back to original source? It's been submitted twice.
Author: Sean Hollister https://www.theverge.com/tech/947157/passports-data-breach-c...
Similar sounding (recent) leak: Hotel check-in system exposed 1M passports and driver's licenses (4 points, May/2026) https://news.ycombinator.com/item?id=48152759
That's good, just grab one of those whenever your need to prove your age online /s
For liveness i suppose you need a good graphics card.
So dystopian