Nearly a million passports and government-issued IDs were sitting completely exposed on the public internet, accessible to anyone with a web browser. The security failure, tied to cannabis dispensary management software, left sensitive identity documents from customers across Europe and beyond vulnerable to theft and fraud. Security researchers discovered the breach after stumbling upon unprotected URLs containing scans of passports, driver's licenses, and other identification documents with zero password protection or access controls.
A catastrophic security failure has left nearly one million passports and government-issued photo IDs completely exposed on the public internet, with no password or authentication required to access them. The breach, discovered by security researchers, reveals how cannabis dispensary software became an unexpected vector for one of the largest identity document exposures in recent memory.
Sean Hollister, a reporter at The Verge, documented the chilling simplicity of the breach. By typing a few letters and numbers into a web browser, he found himself staring at strangers' most sensitive documents - a German woman's passport, a Spanish man's ID photo, the front and back of someone's driver's license. All sitting at public URLs, as easily accessible as any website.
"They were all sitting unprotected at public URLs, with no password or access control of any sort," Hollister wrote. "If I sent you a link, you could have looked at someone's passport."
The security researcher who first identified the vulnerability, Sammy Azdoufal, immediately recognized the severity. "We have to do something about it as fast as possible, because people will find this and resell it. It will do damage," he told The Verge. His concern isn't theoretical - exposed identity documents fetch premium prices on dark web marketplaces, where they're used for everything from financial fraud to creating synthetic identities.
The breach appears connected to cannabis club management systems, software platforms that dispensaries and cannabis social clubs use to verify customer age and identity. These systems require customers to upload government-issued IDs before making purchases, a common practice in regulated cannabis markets across Europe where age verification is legally mandated.
But somewhere in the chain between customer upload and secure storage, the system failed catastrophically. Instead of encrypting and protecting these documents behind authentication layers, the software apparently stored them at publicly accessible URLs. Anyone who discovered or guessed the URL structure could browse through hundreds of thousands of identity documents.
The scale is staggering. Nearly a million documents means potentially a million individuals whose passports, driver's licenses, and national ID cards are now floating in the digital void. Each document contains a treasure trove of personal information - full legal names, birth dates, passport numbers, addresses, physical descriptions, and high-resolution photos. Everything an identity thief needs.
This isn't just about cannabis anymore. It's about fundamental failures in how third-party software handles sensitive data. Cannabis dispensaries, operating in legally gray areas across much of Europe, often rely on specialized software providers to handle compliance requirements. These providers may not have the security infrastructure of major tech companies, yet they're processing some of the most sensitive personal data imaginable.
The exposure highlights a broader vulnerability in age-verification systems across regulated industries. From cannabis to alcohol delivery to online gambling, businesses increasingly require customers to upload government IDs. Each upload creates another potential breach point, another database that could be misconfigured, another URL that could be left unprotected.
Security experts have long warned about the risks of unnecessary data collection. Every business that stores passport scans becomes a potential target - or in this case, an accidental exposure point. The cannabis industry's rapid growth has outpaced its security maturity, and customers are paying the price.
The timeline of discovery and remediation remains unclear. It's unknown how long the documents sat exposed, who else might have accessed them, or whether the vulnerability has been fully patched. These questions matter enormously - the difference between a few days of exposure and months could mean the difference between contained damage and widespread fraud.
For the affected individuals, the fallout could last years. Passport numbers don't change easily. Once your government ID is compromised, it can be used to open fraudulent accounts, apply for loans, or even create fake documents. The exposed customers now face the uncomfortable reality that their most trusted identity documents are potentially in the hands of strangers.
This breach serves as a stark reminder that convenience and security often stand in tension. As more industries adopt digital ID verification, the infrastructure protecting those documents must be bulletproof. Cannabis dispensaries may have inadvertently become custodians of massive identity databases, but they clearly weren't prepared for that responsibility. The real question now is how many other industries are making the same mistake, storing sensitive documents in similarly vulnerable ways, just waiting to be discovered.
