Here is the complete article.
---
title: "Nefos Cannabis ID Verification: Exposed Database Leaks One Million Passports"
date: 2026-06-27
slug: cannabis-id-verification-passport-leak
---
# Nefos Cannabis ID Verification: Exposed Database Leaks One Million Passports
A database holding nearly one million passports from around the world was left exposed on the open internet, leaked through an ID verification system used by cannabis dispensaries. The incident, surfaced by security researcher Bruce Schneier on June 26, 2026, illustrates a textbook failure: a high value credential was funneled into a low value authentication system, and the low value system is the one that fell over. The software company Nefos, named in connection with the system, has reportedly engaged Ireland's Data Protection Commission (DPC) over the exposure.
## What Happened
Cannabis dispensaries are legally required to verify that customers meet age and identity requirements. To satisfy that requirement, dispensaries leaned on a third party ID verification platform that ingested customers' passports as part of the check. Rather than treating those documents as the crown jewels they are, the system accumulated them into a database that ended up accessible online.
The breach is not a story of an advanced adversary defeating layered defenses. It is a story of sensitive identity documents being collected at scale and then stored without the controls that data of this sensitivity demands. By the time it surfaced publicly on June 26, 2026, commenters noted the exposure may have been live for roughly two months, and affected individuals had not been notified.
## What Was Taken
The exposed data set is severe in both volume and sensitivity:
- Nearly one million passports, sourced from individuals worldwide.
- Full passport images and the personally identifiable information they carry: legal name, date of birth, nationality, passport number, issue and expiry dates, and machine readable zone data.
- Identity records tied to lawful cannabis purchases, creating a sensitive linkage between a government credential and a regulated personal activity.
A passport is among the highest value identity credentials a person holds. Unlike a password, it cannot be rotated. Once the image and its data are in the wild, the exposure is effectively permanent and feeds directly into identity theft, synthetic identity fraud, and account takeover schemes.
## Why It Matters
This incident is the clearest possible example of credential value mismatch. A document built to assert national sovereignty and cross borders was repurposed as a turnstile token for buying a regulated consumer product. When organizations collect maximally sensitive credentials to satisfy a minimally sensitive function, they create a concentration of risk wildly out of proportion to the transaction it supports.
For defenders, the lesson is about data minimization and blast radius. The dispensaries did not need to retain passport images to confirm a customer's age. The verification vendor became a single point of catastrophic failure for nearly a million people who simply wanted to make a legal purchase. Breaches of this kind also erode trust across the entire identity verification ecosystem, inviting the regulatory scrutiny now underway with Ireland's DPC.
## The Attack Technique
There is no evidence of a sophisticated intrusion. The available reporting points to an exposed, unprotected database rather than an exploited vulnerability or a targeted campaign. In practical terms this is the familiar pattern of a misconfigured, internet facing data store with insufficient access controls, where the data was reachable by anyone who knew or stumbled onto where to look.
Threat actors do not need to breach a vault that has been left standing open. No serious defense in depth was in place to slow or detect the access: weak or absent authentication, no meaningful encryption posture for documents at rest, and no audit trail to flag anomalous reads. The "technique," such as it is, amounted to collecting and finding data that was never properly secured in the first place.
## What Organizations Should Do
1. Practice ruthless data minimization. If a workflow only needs to confirm age or validity, verify against the document and discard it. Do not retain full passport images or numbers beyond the moment of verification.
2. Encrypt sensitive identity documents both at rest and in transit, and tightly scope who and what can decrypt them.
3. Enforce strong access controls and authentication on every data store that touches identity documents. No internet facing database holding PII should be reachable without authentication.
4. Deploy continuous monitoring and audit logging so anomalous bulk reads of identity records are detected and alerted in real time, not discovered months later by an outsider.
5. Maintain a tested incident response and breach notification plan, including timely regulator engagement and customer notification, so affected individuals learn of exposure quickly rather than from a comment thread.
6. Vet third party verification vendors against the same rigor you would apply internally, with contractual requirements for encryption, retention limits, and breach disclosure timelines.
_Sources: [One Million Passports Leaked Online - Schneier on Security](https://www.schneier.com/blog/archives/2026/06/one-million-passports-leaked-online.html)_
TWEET: Nefos cannabis ID verification system leaked ~1M passports worldwide via an exposed, unsecured database. High-value credential, low-value system. Full breakdown: https://wasteland.me/intel/cannabis-id-verification-passport-leak #CyberSecurity #ThreatIntel