Data leak: one million Cannabis Club members exposed online

Nearly a million cannabis social clubs and coffee shops had their personal data exposed on the Internet for several weeks.

The breach comes from CCS Nube, the SaaS platform developed by Cannabis Club Systems (CCS), the business unit of the Irish company Nefos Solutions Ltd, used by 377 establishments in over 40 countries to manage memberships, identities and transactions.

The Sammy Azdoufal, a cybersecurity researcher and himself a member of a Barcelona club, who discovered the flaw in April 2026 after downloading his club's optional mobile application, PuffPal, and decompiled the code.

The exposed database would have contained information on 1,082,680 registered members, of which nearly 986,000 identity documents such as passports, national identity cards and driving licenses. More than 104,000 French citizens are among the users concerned.

The database includes some of the best-known clubs in the sector, including Amsterdam Bulldog with 53,011 profiles, or the Strain Hunters of Barcelona, the Choko, the Firehouse or the Selva.

Data leakage statistics

How the vulnerability was discovered

The problem came to light after Azdoufal, himself a member of a cannabis social club in Barcelona, reviewed the optional mobile app PuffPal, developed by CCS to facilitate club registration and member management.

By analyzing the application's code, he discovered that the backend infrastructure lacked basic security controls. By simply modifying the numerical identifiers associated with user accounts, he was able to access the personal files of other members.

«I wrote a loop. I let it run all night. The next morning, I had 1,082,680 recordings,» Azdoufal wrote in its technical report.

The vulnerability did not only affect PuffPal users. According to the researcher, the exposed data came from CCS Nube, the central platform used by clubs to manage membership, identity verification, messaging and payments. As a result, people who had never downloaded the mobile application could also have seen their data exposed.

Photos of identity documents were stored at predictable public URLs, without any form of access control. Five thousand new scans were added daily under these conditions.

Other faults were identified at the same time: a Stripe secret key (full access to the payment account) hard-coded in the application's APK, identifiers Firebase presentations giving access to push notification tokens for 25,425 accounts, and 9,030 private messages between members and clubs accessible without validation of ownership.

Sensitive information about cannabis use

The information disclosed went far beyond simple coordinates.

According to the Next.ink, The profiles on display could include names, e-mail addresses, telephone numbers, postal addresses, dates of birth, nationalities, identity document numbers and scanned copies of passports or identity cards.

The database also contained information on members' cannabis consumption habits, including reported monthly consumption levels and preferred varieties.

«The physical bouncer at the entrance checks your membership card. The digital bouncer wasn't there,» Azdoufal summarized.

The breakdown by nationality of the users concerned highlights the international nature of the Clubs' membership. The largest groups of members were Spanish, Italian, French, South African, British, German and American.

The leak also raises concerns among citizens of countries where cannabis remains heavily penalized. The researcher noted that the database included members holding passports from countries such as Saudi Arabia, Kuwait and the United Arab Emirates, where cannabis offenses can carry serious legal consequences.

Questions about RGPD compliance

The management of this incident is clearly open to criticism. According to Azdoufal, he first alerted CCS in April 2026, but received no response for several weeks despite multiple attempts to contact the company.

Next.ink and The Verge both reported that significant engagement took place only after journalists had intervened and when publication of the findings seemed imminent. Under GDPR rules, organizations must generally notify the relevant supervisory authorities within 72 hours of becoming aware of a personal data breach.

Speaking to The Verge, CCS co-founder Andreas Nilsen acknowledged the seriousness of the situation and said the company was cooperating with the Irish Data Protection Commission.

«We need to communicate with everyone potentially exposed,» Mr. Nilsen told the newspaper.

At the time of writing, the Club managers we interviewed were not aware of the data leak.

Emergency measures and ongoing investigation

Following the public disclosure of the vulnerabilities, CCS began implementing corrective measures. According to statements provided to several media outlets, the company restricted access to exposed terminals, temporarily closed the PuffPal application and launched an internal investigation.

The company's CTO, Sean Nilsen, told the media that several vulnerabilities had already been patched and that remediation efforts were continuing.

«We take the security and protection of personal data very seriously,» said Nilsen.

Independent tests carried out by Azdoufal on June 10 suggested that some of the most critical exposures, including images of publicly accessible identity documents, had finally been secured.

To date, no evidence of malicious data extraction has been established. Concerned members can exercise their rights of access (article 15) and erasure (article 17) with their club, and lodge a complaint with their national data protection authority.