Almost a million passports from around the world are sitting on the open internet. The culprit? Not a government database or an airline hack — a cannabis dispensary ID verification system.
Here’s the core problem: a passport is one of the highest-value credentials a person owns. But it got used in a low-stakes, ancillary authentication system. And that low-value system was the one that got breached.
Bruce Schneier highlighted the incident on his blog, pointing out the mismatch. “A high-value credential — a passport — was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it’s the low-value system that got hacked, putting the high-value credential at risk.”
One commenter noted the breach is believed to be two months old and affected individuals haven’t been notified. That’s a troubling detail — if your passport data is out there, you probably want to know.
This is a textbook example of credential reuse risk. When powerful identity documents get fed into third-party verification services with weaker security, the blast radius extends far beyond the original use case. The passport holder didn’t choose to trust the dispensary’s vendor — they just wanted to buy cannabis.
