Bymsoftnews 2 min read

PuffPal Exposed Passport Data for One Million Cannabis Club Users

An app meant to simplify entry to Spanish cannabis clubs left users’ passports, addresses, and consumption records open to anyone who looked.

PuffPal Exposed Passport Data for One Million Cannabis Club Users

*An app meant to simplify entry to Spanish cannabis clubs left users’ passports, addresses, and consumption records open to anyone who looked.*

PuffPal, built by Nefos, stored and transmitted passport photos and other personal details with no effective protection. Researcher Sammy Azdoufal found the data after decompiling the app and discovered a Stripe secret key stored in plain text.

The exposed records cover roughly one million members. They include phone numbers, home addresses, preferred cannabis strains, and monthly consumption figures. Thirty thousand of the records belong to U.S. visitors. Azdoufal also noted that the database contains entries for public figures who had used the clubs.

The same flaw let anyone retrieve any member profile once the key was known. No additional authentication or rate limiting blocked the access.

Nefos has not released a statement on the scope of the exposure or on steps taken to secure the data.

Why it matters

Apps that handle government-issued identification must treat that data as high-risk from the first line of code. When a payments key sits in an installable binary, the failure is not subtle; it is immediate and foreseeable. Users who visited clubs in Spain now face the downstream effects of that negligence, regardless of whether they ever expected their records to leave the premises. The episode shows that convenience features for regulated activities still require the same baseline controls as any other consumer service that stores identity documents.

---

Sources:

{
  "excerpt": "PuffPal left passport photos and personal details of one million cannabis-club members exposed through an unsecured Stripe key found in the app.",
  "suggestedSection": "security",
  "suggestedTags": ["data-breach", "puffpal", "nefos"],
  "imagePrompt": "Shattered translucent identity cards lie scattered across a dim concrete floor beside an open server rack. Thin cables trail from the rack toward a distant payment terminal. muted color palette, cinematic lighting, 16:9"
}

No comments yet

Continue reading