Claude · Spain · Claude Code · The Verge
Nilsen argues his company will not simply re-launch unsecured PuffPal if the clubs ask
Compiled by KHAO Editorial — aggregated from 1 source. See llms.txt for citation guidance.
◌ Single Source
“The Verge will make sure, after this debacle, that this is verified by an independent security researcher and guarantee that this is 100 percent secure.” He says Nefos is parting ways with 9Series, and hopes to have a new app within a few months.
Key facts
- Last month, a website called the UK Visa Portal similarly exposed at least 100,000 passports to anyone who could guess a URL
- In a phone interview, Nefos co-founder Andreas Nilsen tells The Verge that he’s in touch with Ireland’s Data Protection Authority (DPC) about the data breach, a fact that DPC spokesperson Evan
- Nilsen says he’s aware that under EU law, his company legally had to disclose the breach within 72 hours or pay significant fines, something the company didn’t
- All a hacker had to do was type “curl -X POST-d “user_id=[NUMBER]&[CLUB NAME]=test&language=en” into a command line, and the servers would freely give up a ream of personal information
Summary
Typing a few letters and numbers into their web browser, the reporter finds themselves gaping at the identity documents of complete strangers. They were all sitting unprotected at public URLs, with no password or access control of any sort. “The team have to do something about it as fast as possible, because people will find this and resell it. Azdoufal is the security researcher who used Claude Code to help discover that every DJI Romo robot vacuum cleaner and a million baby monitors and security cameras were embarrassingly easy to hack. If you’ve visited a cannabis club in Spain, Azdoufal says, chances are your photo ID was among them and that the cannabis clubs had a trivial level of security on their own accounts, using passwords that could theoretically be cracked in minutes with a modern GPU.