June 29, 2026

Passport to Panic

Article URL →HN comments →

One million passports leaked online

Nearly 1 million IDs were left wide open — and commenters are absolutely horrified

TLDR: Nearly a million passports and photo IDs were reportedly left openly accessible on the internet for months, putting people at risk of identity theft. Commenters swung between panic, fury, and dark jokes, with the biggest debate being why the company kept all that sensitive data in the first place.

This story has the internet doing the full stare-scream-refresh routine. A reporter was able to pull up passport scans and driver’s licenses from public web links with basically no barriers at all, exposing nearly a million identity documents tied to cannabis clubs and age-check systems in Europe. No secret hacker movie stuff here — the real scandal, as commenters see it, is that this information was apparently left sitting out in the open for months like forgotten luggage in an airport.

The loudest reaction was pure panic. One commenter immediately jumped to the question everyone dreads: “Is my passport in there, and are people even being told?” That fear set the tone. Others were stunned less by the leak itself than by the sheer carelessness behind it. The hottest outrage came from a GDPR angle — Europe’s privacy law that says companies shouldn’t keep personal data longer than necessary. One commenter basically asked the devastatingly simple question: why were they saving all these passport scans at all after checking someone’s age? Brutal, fair, and very hard to un-hear.

And because the internet cannot resist a dark joke, the thread also delivered gallows humor. One user cracked that if IDs are just lying around online, you could simply “grab one” the next time you need to prove your age. Heavy sarcasm, zero chill. Even a boring link-fix comment added to the chaotic vibe, as readers scrambled for the original report. The verdict from the crowd: this wasn’t just a mistake — it was the kind of sloppy data handling that makes people wonder why companies collect so much of our personal information in the first place.

Key Points

  • Nearly one million passports and photo IDs were exposed on publicly accessible URLs without passwords, encryption, or access controls.
  • The exposed files included passport scans and driver’s licenses with photos, names, and identifying numbers from multiple European countries.
  • The documents were hosted on systems used by cannabis clubs and by Nefos, which operates the PuffPal membership and age-verification platform.
  • Security researcher Sammy Azdoufal discovered the exposure and warned that openly available identity documents could be found and resold by criminals.
  • The Verge’s investigation found no evidence of a traditional hack; the incident was attributed to misconfiguration and insecure storage practices.

Hottest takes

"I am sure even my passport would be part of the breach" — adithyaharish
"why have they retained the information at all!" — gertrunde
"just grab one of those whenever your need to prove your age online /s" — raverbashing

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.