Nearly one million passports, driver’s licenses, and other photo IDs were reportedly left exposed on the public internet, raising serious concerns about how sensitive personal data is stored and protected online.
The issue was discovered by security researcher Sammy Azdoufal, who said he found more than 985,000 identity documents accessible through public web links without any password, login, or access control. In simple terms, anyone with the right URL could view private documents belonging to strangers.
The exposed files included passports from different countries, driver’s licenses, and other personal identification documents. According to the report, the documents were publicly available online, meaning they could be accessed, copied, shared, or resold by people with basic technical knowledge.
Azdoufal warned that the problem needed urgent attention because exposed identity documents can quickly become valuable material for cybercriminals. Such data can be used for identity theft, fraud, account takeovers, fake registrations, and other harmful activities.
The researcher said many of the exposed documents appeared to be linked to people who had visited cannabis clubs in Spain. In some cases, the exposed information may have included not only photo IDs but also personal details such as phone numbers, addresses, preferred cannabis strains, and monthly consumption records.
The database reportedly included visitors from many countries, including around 30,000 people from the United States. Azdoufal also claimed that some well-known individuals were present in the database, making the exposure even more sensitive for people who may not want their private habits or personal details made public.
The affected users were not limited to one country. The report said people from Spain, Italy, France, South Africa, Britain, the United States, and other places appeared in the exposed records. Several cannabis clubs, especially in Barcelona, were also named in the data that the researcher’s automated tool was able to see.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The report noted that the clubs themselves were not necessarily the ones that failed to protect the identity documents. However, the incident shows how dangerous it can be when companies, platforms, or third-party services store sensitive personal information without proper security controls.
