Nearly one million passports leaked online unprotected
Original: One million passports leaked online
Why This Matters
Demonstrates critical gaps in data protection for identity documents; highlights risks of large-scale personal data exposure and identity theft.
Security researcher discovered approximately 985,000 passport scans and photo IDs exposed on public internet without password protection. Data primarily from Spanish cannabis clubs accessible to anyone via direct URLs, posing identity theft and resale risks.
Security researcher Sammy Azdoufal discovered over 985,000 photo identification documents, including passports and driver's licenses, sitting unprotected on public URLs with no password or access control. The documents were accessible to anyone with a direct link, allowing potential theft and resale of identity information. The majority of the exposed data appears to originate from cannabis clubs in Spain, with documents containing not only photos but also personal information including phone numbers and addresses. Azdoufal, known for discovering security vulnerabilities in DJI Romo robot vacuums and baby monitors, emphasized the urgency of addressing the breach, warning that criminals would likely discover and exploit the exposed data. The documents were completely unprotected, with Azdoufal able to access strangers' identification documents simply by typing URLs into a web browser. The incident highlights systemic data security failures in how organizations handle sensitive identity documents.