Cannabis Club Systems Data Leak Exposes Nearly One Million User Records Worldwide
Nearly one million cannabis club users worldwide had their identity documents exposed online due to vulnerabilities in Cannabis Club Systems and PuffPal, prompting urgent scrutiny of data security practices
Key Points
- 1Nearly 985,000 identity documents from cannabis club users were exposed via public URLs linked to Cannabis Club Systems and PuffPal
- 2The breach affected users from Spain, Italy, France, South Africa, and included celebrities, U.S. citizens, and staff
- 3Security researcher Sammy Azdoufal discovered the vulnerability, which spanned multiple layers of the system, including document storage and administration
- 4Nefos Solutions suspended the affected app and services, notified authorities, and is conducting an independent security review
- 5The company claims no verified evidence of public data extraction, but investigations remain ongoing
A major data exposure involving Cannabis Club Systems and PuffPal has compromised the sensitive identity documents of nearly 985,000 cannabis club users, according to recent findings. The exposed information, accessible through unsecured public URLs, included images of passports, national ID cards, driver’s licenses, selfies, and personal contact details. This incident has triggered significant concerns about privacy and data security in the cannabis sector, which deals with particularly sensitive user data due to ongoing stigma and complex legal landscapes
Security researcher Sammy Azdoufal uncovered the vulnerability, revealing that the data was left unprotected due to technical failures in the systems used by over 800 cannabis clubs globally, with a significant concentration in Spain, especially Barcelona. "The flaw appeared to run across several layers of the system: image storage, user profiles, APIs, payments, administration, and messaging," the report noted. This widespread exposure included not just current members but also inactive users, staff, and professional contacts, highlighting the scale and depth of the breach
The infrastructure behind the exposed data was managed by Cannabis Club Systems, affiliated with Irish company Nefos Solutions, and also tied to the PuffPal app used for identity verification. According to The Verge, files were accessible at predictable web addresses with no passwords or access controls. The breach also exposed other technical weaknesses such as an exposed Stripe secret key, vulnerable API endpoints, and unsecured administrative portals
In response to the findings, Nefos Solutions temporarily suspended the PuffPal app and related backend services, and reported the incident to the Irish Data Protection Commission, as required under the European Union’s General Data Protection Regulation (GDPR). Andreas Nilsen, co-founder of Nefos, acknowledged the gravity of the situation, stating, "The company was required to report the breach under European regulations and said it could face penalties." Nefos emphasized it would not relaunch the app without an independent security review and maintained that there was no verified evidence that personal data had been publicly distributed, though investigations are ongoing
The cannabis industry’s reliance on digital systems for member registration and age verification has made robust cybersecurity practices essential, especially as users entrust clubs with highly sensitive personal data. The potential fallout from such leaks extends beyond financial harm, carrying risks related to employment, immigration, and legal exposure. As noted in the investigation, "privacy is not a luxury: it is part of user safety."
OG Lab’s editorial analysis: This incident is a wake-up call for the cannabis sector to prioritize data protection as a fundamental aspect of user trust. With digitalization accelerating across the industry, companies must implement rigorous security standards and transparent protocols to safeguard user information against future breaches
