alt.hn

6/28/2026 at 7:43:02 PM

1M Passports Leaked Online

 https://www.schneier.com/blog/archives/2026/06/one-million-passports-leaked-online.html

by garo-pro

6/28/2026 at 9:18:42 PM

The lack of security is one thing, but why have they retained the information at all!

iirc, one of the elements of GDPR is "storage limitation", i.e. you must not keep personal data for longer than you need it - and in this case, the data is only needed to verify the age of the user, and shouldn't ever be required again (unless people can now get younger).

Once a document has been used to verify a person's identity and that the person is of legal age, there is no reason to retain a copy of the document any more.

It would be reasonable and fair to retain a photo of the user to verify that the person matches the account, but that's it.

by gertrunde

6/29/2026 at 1:37:35 AM

10 years after I took the ACT, I received a letter from a university that I never went to, saying my SSN was leaked.

WHY THE F**k ARE THEY HOLDING ON TO THAT 10 YEARS LATER!?!?!?

Of course now I know better than to give out my SSN to anyone who asks for it, but I didn't know that as a teenager.

Until stupid s**t like this becomes illegal, it will just keep continuing.

by rationalist

6/29/2026 at 12:17:43 PM

[dead]

by vrsgjye

6/28/2026 at 7:52:17 PM

Could we update the link to the original article? https://cambridgeanalytica.org/data-breaches-scandals/passpo...

by dgellow

6/28/2026 at 8:57:06 PM

CA article is just AI;dr on a two week old Verge article: https://www.theverge.com/tech/947157/passports-data-breach-c...

by ericpauley

6/28/2026 at 9:07:57 PM

Ok, then changing the link to the verge article. Thanks for pointing that out

by dgellow

6/28/2026 at 11:13:06 PM

The verge is not a good source as it's pay walled

by wolvoleo

6/28/2026 at 11:13:44 PM

Wow it's insane that Cambridge Analytica is still around after the scandals.

by wolvoleo

6/28/2026 at 7:51:39 PM

Oh god that’s pretty bad

> The documents were hosted by systems used by cannabis clubs and a company called Nefos, which operates PuffPal, a platform that manages membership and age verification for cannabis retailers and clubs across Europe. The infrastructure storing these identity documents—full passport scans, driver’s licenses with photos, names, and identifying numbers—was left completely unprotected on publicly accessible web servers.

I cannot imagine the level of fines under GDPR for leaking that much PII

by dgellow

6/28/2026 at 8:51:17 PM

The EU's verification laws will ensure much more of these leaks in the future, and therefore much more fines

by real_chudson

6/28/2026 at 9:40:18 PM

How so, are you purely speculating or you found a hole in the zero knowledge proof system some countries are implementing ?

by Kuinox

6/28/2026 at 10:26:21 PM

Is it requirement to retain the documents? Many are waiting for gatekeeper tech companies to organise around attestation rather than submission to third parties. I hope they are making progress.

by forestry

6/28/2026 at 9:33:06 PM

Yep… not sure about more fines, but for sure more leaks

by dgellow

6/28/2026 at 7:56:23 PM

That's good, just grab one of those whenever your need to prove your age online /s

by raverbashing