Nefos Shuts PuffPal After 985,000 IDs Were Exposed, Accepts Potential EU Fines
Updated
Updated · The Verge · Jun 10
Nefos Shuts PuffPal After 985,000 IDs Were Exposed, Accepts Potential EU Fines
1 articles · Updated · The Verge · Jun 10
Summary
Nefos has taken PuffPal and vulnerable APIs offline after security researcher Sammy Azdoufal found about 985,000 passport and ID images exposed at public URLs; tests on June 10 showed the data had been secured.
Public links, predictable user IDs and exposed API endpoints let anyone retrieve member profiles, including passport numbers, phone numbers, home addresses and cannabis club records, with clubs adding roughly 5,000 new IDs a day.
June 4 and June 9 checks found Nefos had reopened or incompletely fixed parts of the system after initial warnings, leaving images and then profile data accessible until fresh disclosures forced additional shutdowns.
Nefos says it has contacted Ireland's Data Protection Commission, will notify affected users, pay any penalties and replace outsourcing firm 9Series, which it blames for developing the insecure app and APIs.
The breach spans cannabis club members from across Europe and about 30,000 U.S. visitors, underscoring growing scrutiny of basic URL-based document exposure after similar passport leaks elsewhere.
When an outsourcer's code exposes a million IDs, who is ultimately responsible for protecting your personal data?
A firm defied Europe's strict 72-hour data breach rule. Can regulators' massive fines truly enforce digital privacy?
As the legal cannabis industry booms, is its compliance technology actually putting customers at greater risk?
Nefos Solutions Data Breach Exposes 100,000 Cannabis Club Members’ IDs in Spain: SQL Injection at Heart of Major Security Failure
Overview
In June 2026, Nefos Solutions discovered a major data breach in its PuffPal system, exposing sensitive personal data—including names, addresses, phone numbers, and government IDs—of about 100,000 members across 150 cannabis clubs in Spain. The breach was caused by a SQL injection vulnerability, allowing unauthorized access to the database. Nefos quickly shut down the affected system, disrupting QR code entry but enabling clubs to use alternative verification methods like RFID cards and phone numbers. The incident triggered regulatory scrutiny under GDPR, highlighted the need for stronger security and vendor oversight, and served as a wake-up call for the cannabis technology industry to adopt stricter data protection standards.