Skip to content
Tech News
← Back to articles

One million passports leaked online

2026-06-28 | original
read original more articles
Why This Matters

The exposure of nearly one million unprotected passports and IDs highlights critical vulnerabilities in data security practices within the tech industry, emphasizing the need for robust safeguards to protect sensitive personal information. This breach underscores the importance of proper access controls and encryption to prevent identity theft and fraud, especially as digital identity verification becomes more prevalent for online services and regulated industries.

Key Takeaways

A journalist typing a few letters and numbers into a web browser pulled up the passport of a young woman from Germany. Then a Spanish man’s passport. Then another man’s driver’s license. All of it sitting on the public internet with no password, no encryption, no access control whatsoever.

Nearly a million passports and photo IDs from multiple countries were exposed across unprotected public URLs, accessible to anyone with a link. The documents remained discoverable this way for months, according to reporting by The Verge, before being taken offline. The exposure represents one of the largest identity document breaches in recent memory—and it happened because of a fundamental failure in data security practices.

Key Findings: The Scale: Nearly one million passports and photo IDs from multiple European countries were left completely unprotected on public web servers.

Nearly one million passports and photo IDs from multiple European countries were left completely unprotected on public web servers. The Access Method: No hacking was required—documents were accessible through direct URLs with zero authentication or encryption.

No hacking was required—documents were accessible through direct URLs with zero authentication or encryption. The Timeline: Identity documents remained publicly accessible for months before discovery, creating an unknown window of potential criminal exploitation.

The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.

Sammy Azdoufal, a security researcher who discovered the exposure, told The Verge the urgency was acute: “We have to do something about it as fast as possible, because people will find this and resell it. It will do damage.” The concern was not theoretical. Identity documents at scale on the open internet are immediately valuable to criminals. According to guidance from the Federal Trade Commission, stolen passports and driver’s licenses fuel identity theft, document fraud, and account takeover attacks.

How Did Nearly a Million Identity Documents End Up Unprotected?

What makes this breach structurally significant is not just the volume of documents exposed, but the mechanism of exposure: a company collecting identity verification data—ostensibly for legitimate age-gating purposes—stored that data in a way that treated security as optional. No authentication layer. No rate limiting. No encryption. Just raw identity documents, URL-accessible to the entire internet.

The Security Failures:

... continue reading

Explore topics: passport leak nefos web security identity breach data exposure
Related:
Meta hits pause on AI training project after employee data became visible company-wide
Developers don't understand CORS (2019)
Nearly a million passports and photo IDs were left unprotected on the public internet
UK Visa Portal spilled thousands of applicants’ passports and selfies online — and hasn’t fixed the leak
Google Studies Prompt Injection Attacks Against AI Agents Browsing the Web

© 2026 GoKawiil

About | Editorial Policy | Contact