A misconfigured server hosted by Cannabis Club Systems exposed almost a million passport and photo ID scans on the public internet.
The data appeared at plain URLs without any password protection. The files included full passport scans from a German woman, a Spanish man, and driver’s licenses with front and back images. The issue was first reported on June 10, 2026, after a researcher stumbled upon the open links. Cannabis Club Systems’ spokesperson, Sammy Azdoufal, told the outlet the files would be taken down "as fast as possible" because they could be resold and cause damage.
The leak highlights how even niche service providers can become a source of identity theft if they neglect basic security controls. With so many personal identifiers available, fraudsters can fabricate false documents or sell the data to anyone willing to pay.
While the provider acted quickly to remove the files, the incident serves as a reminder that any organization handling sensitive scans must enforce authentication and encryption, or risk turning their customers into easy targets.