Nearly one million passports exposed in online database leak

A database containing images of nearly one million passports from multiple countries was left exposed on the open internet without authentication or encryption, according to a report by Schneier on Security. The leak was discovered by French security researcher Sammy Azdoufal and linked to a third-party identity verification system used by cannabis dispensaries.

The exposed data included passport images and associated personally identifiable information, which were stored with no access controls, audit trails, or encryption. Security experts characterized the storage practices as negligent, noting that such sensitive credentials require the same level of protection as financial vaults.

The software company Nefos, which provided the identity verification service, confirmed to The Verge that it is communicating with Ireland’s Data Protection Commission (DPC) about the breach. Nefos stated it is notifying individuals potentially affected and is ending its relationship with the vendor 9series, which developed the vulnerable APIs. The company acknowledged potential penalties under EU law for failing to disclose the breach within 72 hours.

The incident highlights the risks of using high-value identity documents, such as passports, in low-value authentication systems. Security analysts argue that organizations handling such sensitive data must implement robust access controls, encryption, monitoring, and incident response plans to prevent misuse and erosion of public trust.