tl;dr: Security researcher Sammy Azdoufal discovered that Cannabis Club Systems (Nefos Solutions), an Irish company providing software to Spanish cannabis clubs, exposed nearly 1 million photo IDs—including passports, driver's licenses, addresses, and consumption data—at unprotected public URLs, with 5,000 new IDs added daily. The PuffPal companion app contained a plaintext Stripe key and APIs that leaked full user profiles by incrementing an ID number. Nefos took over a month to respond meaningfully, briefly re-exposed images to appease clubs, has now shut down PuffPal, and blames outsourcing firm 9Series.