1M Passports Leaked Online
garo-pro
43 points
13 comments
June 28, 2026
Related Discussions
Found 5 related stories in 800.8ms across 14,015 title embeddings via pgvector HNSW
- One Million Passports Leaked Online jruohonen · 15 pts · June 28, 2026 · 97% similar
- Nearly a million passports and photo IDs were unprotected on the public internet N_A_T_E · 28 pts · June 16, 2026 · 72% similar
- 1B identity records exposed in ID verification data leak robtherobber · 215 pts · March 12, 2026 · 64% similar
- Data breach exposes up to 14.2M email logins at six ISPs Brajeshwar · 33 pts · June 29, 2026 · 56% similar
- LastPass notifies users of yet another data breach mooreds · 491 pts · June 25, 2026 · 55% similar
Discussion Highlights (4 comments)
dgellow
Oh god that’s pretty bad > The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers. I cannot imagine the level of fines under GDPR for leaking that much PII
dgellow
Could we update the link to the original article? https://cambridgeanalytica.org/data-breaches-scandals/passpo...
raverbashing
That's good, just grab one of those whenever your need to prove your age online /s
gertrunde
The lack of security is one thing, but why have they retained the information at all ! iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger). Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more. It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.