Discretion Was the Product. It Was Also the Vulnerability.

There's a particular kind of breach that hits different. Not the retail giant that lost your credit card number to a Russian group you've never heard of. Not the health insurer whose database turned up on a forum. Those hurt, but they're almost abstract — you were always a row in someone's spreadsheet.

This one is different. A writer at Daring Fireball flagged a Verge report about PuffPal, an app used to access cannabis clubs in Spain. According to the reporting, a researcher named Azdoufal decompiled the app and found essentially no meaningful security protecting the data inside. A secret key for the Stripe payments platform was sitting in the app in plain text. Member profiles were accessible to anyone who knew how to look. What was inside those profiles: passport photos, phone numbers, addresses, favorite strains, monthly consumption amounts. Roughly one million users. Thirty thousand of them from the United States. And, per Azdoufal's account, celebrities — people, as he put it, who don't want everyone to know they smoke weed.

That last line is the whole story compressed into one sentence.

When the App Is the Risk

Cannabis clubs in Spain exist in a specific legal gray zone. The discretion isn't a feature — it's the premise. The app that manages access to that world wasn't just holding data incidentally. It was holding data that people handed over because they believed the system was contained, private, off the record in some meaningful sense. The whole value proposition was built on that assumption.

Azdoufal didn't find a sophisticated adversary. He found a Stripe key in plain text. He found that pulling up any member's profile required no meaningful authentication. This wasn't a nation-state operation. This was negligence so basic it doesn't even qualify as irony — it's just a betrayal.

What Daring Fireball is pointing at, by surfacing this story, is something the tech industry has been slow to reckon with honestly: the apps most likely to carry genuinely sensitive data are often the ones least equipped — structurally, culturally, financially — to protect it. The big platforms get scrutinized. The niche apps, the vertical-specific tools, the category software built for communities that can't exactly go complaining to regulators — those operate in the dark.

The Credibility Problem

Privacy as a selling point has been having a rough decade. But there's a difference between a platform quietly monetizing your behavior and an app explicitly built around discretion that then leaves a million passports effectively in a public hallway. The former is cynical. The latter is something closer to a con.

The people in that database made a calculation: that digitizing their identity and consumption habits was worth the convenience, because the system holding that information could be trusted. That calculation turned out to be wrong. Not because of a clever attacker. Because of a plain-text Stripe key.

The question Daring Fireball is implicitly asking — and it's the right one — is whether discretion can survive digitization at all when the builders of these systems treat security as an afterthought. Not every sensitive category gets to have its breach ignored. Cannabis consumption, passport data, addresses: in the wrong hands, in the wrong jurisdiction, for the wrong person, that's not an inconvenience. That's exposure with real-world weight.

We keep building apps that ask for everything and protect nothing. Eventually, the people handing over the everything figure that out.