One million passports leaked online

Is this the CA from FB fame? https://en.wikipedia.org/wiki/Cambridge_Analytica? If so how come they still exist?

> Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.

Why do these systems hold onto user's data post verification?

> Zero password protection on document storage systems > > No encryption for sensitive identity verification data > > Public URL access with no authentication requirements > > No access logging or monitoring systems in place

Pretty much the bingo of secure storage, even CTF demos make it less obvious. Storing a document that they have no business keeping in the first place, with no security whatsoever.

Much as passports are very important for proving identity etc, people who travel have had their passport scanned, photographed or photocopied by pretty much every hotel they've stayed in. I'm not sure the shoebox in the backroom in Koh Samui with the photocopies in constitutes good storage hygiene protocols.

How that doesn't turn into rampant identity theft I don't know, or maybe it does? Not, happily, for me... yet.

The lack of security is one thing, but why have they retained the information at all!

iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).

Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.

It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.

Oh god that’s pretty bad

> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.

I cannot imagine the level of fines under GDPR for leaking that much PII

I am sure even my passport would be part of the breach, are the passport holders beign notified of the breach?

Do the laws that mandate identity verification set security standards that the websites which collect and verify the data must meet?

Damn, we even got passport leaks before GTA 6.

This is the best one. Not a shady company website, or a paywalled site:

https://boingboing.net/2026/06/28/a-million-passports-leaked...

Could we update the link to the original article? https://cambridgeanalytica.org/data-breaches-scandals/passpo...

That's good, just grab one of those whenever your need to prove your age online /s