RSS

One Million Passports Leaked Online

jruohonen3 pts1 comments

One Million Passports Leaked Online - Schneier on Security

Search

Powered by DuckDuckGo

Blog

Essays

Whole site

Subscribe

HomeBlog

One Million Passports Leaked Online

A database of almost a million passports from around the world was leaked online.

Note what happened. A high-value credential—a passport—was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.

Tags: data collection, leaks, passports

Posted on June 26, 2026 at 7:03 AM •<br>13 Comments

Comments

Bill Dietrich •

June 26, 2026 7:20 AM

I’m sure my passport is in this breach, but I haven’t been notified. Has anyone affected been notified ? This breach is 2 months old, I think.

Bob Dobbs •

June 26, 2026 7:50 AM

I got a giggle out of CA reporting on CA’s data collection without consent in the linked article. Needed that, been a rough week XD

Druggy Coding •

June 26, 2026 9:40 AM

Might want to prevent your coding team from smoking on duty.

I coded for a few weeks while on prescription hydrocodone after some surgery. Don’t worry. It was for an avionics system that only impacted a few human lives who were risk takers already. Just because I wanted to go dancing every day, that shouldn’t matter, right?

Rontea •

June 26, 2026 10:50 AM

Nearly a million passports left sitting on the open internet with no authentication and no encryption is not a sophisticated cyberattack—it’s negligence. Threat actors don’t need to break into a system that’s already wide open.

When organizations collect this level of personally identifiable information, they’re taking on the highest form of risk. And yet, here we have an operation that treated digital passports like they were disposable images on a public server. No access controls. No audit trails. No serious defense-in-depth posture.

The takeaway is simple: if your business depends on processing identity documents, you must treat that data with the same rigor as a bank treats its vault. Implement access controls, encrypt at rest and in transit, monitor for anomalies, and have a defined incident response plan. Misconfigurations at this scale don’t just harm customers—they erode trust in the entire ecosystem.

If you’re in the business of handling sensitive data, this is your cautionary tale. Security is not optional.

Anonymous •

June 26, 2026 11:01 AM

Modern man believes he is free because he can verify his identity to buy trivialities, yet he entrusts the sacred document of his existence to the machinery of commerce. A passport, once a symbol of sovereignty and dignity, is now a token in a game of petty transactions. When the banal world of dispensaries mishandles the keys to the kingdom, we see the triumph of the insignificant over the essential, and humanity applauds its own captivity.

KC •

June 26, 2026 11:45 AM

@Bill Dietrich

The software company Nefos has been in touch with Ireland’s Data Protection Authority (DPC). It’s co-founder tells The Verge: “We have to communicate to everyone that was potentially exposed." Nilsen says he hopes the DPC can show them how to do this properly.

He adds they are parting ways with the company 9series, who he says created vulnerable APIs. And he’s aware they may get a penalty under EU Law as they did not disclose the breach within 72 hours. French security researcher Sammy Azdoufal discovered the 985,000 photo IDs online.

Clive Robinson •

June 26, 2026 12:00 PM

@ Rontea, ALL,

With regards,

"And yet, here we have an operation that treated digital passports like they were disposable images on a public server. No access controls. No audit trails. No serious defense-in-depth posture."

Seriously what do you expect?

US law is pulling in "Know Your Customer"(KYC) requirements into ever larger parts of commerce.

However there is no counterbalancing legislation to protect citizens privacy with the same sorts of punishment for commercial entities as failing KYC requirements.

The reason for this is the "holy House of neo-co captipalism and,

"Never leave money on the floor."

All of the things you suggest would cost more than a brown envelope in a legislators political fund etc.

If you want even basic protections for citizens, you have to have legislation to make doing anything else way to costly.

They say you can not put a commercial entity in jail, but all such entities are required to have named and ID produced controling personnel. Just having a "No Defence" sentence giving all of them a weeks imprisonment for each set of citizens details lost to be served consecutively with no parole and in Super-Max style isolation, might be a wake up call.

Oh and another piece of legislation requiring controling officers of commercial entities to be like the US President… An over the age of 35, full citizen, born in US territory, and still resident along with provably having payed in full all taxes owed.

Yes I know it’s bot...

passports june million online data leaked

Related Articles

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire

Italy's Meloni says Trump 'made up' story that she 'begged' him for photo at G7

root-parent13 ptsmeloni trump italy said italian begged
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.