A report about Cannabis Club Systems has raised serious privacy concerns for South Africans who may have used cannabis-related platforms linked to the company.

MyBroadband reported that security researcher Sammy Azdoufal claimed personal records linked to Cannabis Club Systems members may have been accessible through a reported vulnerability.

According to the report, the information allegedly included South African ID cards, passports, full names, email addresses, phone numbers, ID numbers, cannabis consumption estimates and strain preferences.

The report said members from more than 40 countries may have been affected, with South Africa allegedly the second-most affected region after Spain.

What the Researcher Claimed

Azdoufal told MyBroadband that he discovered the vulnerability in April 2026 and notified the company.

He alleged that records could be accessed through the backend system used by Cannabis Club Systems, known as CCS Nube.

According to the report, PuffPal was not described as the source of the vulnerability. Instead, Azdoufal said the app was his entry point into the research and that the backend was the issue.

He claimed the system used sequential user IDs and that information could allegedly be pulled from the API without an authentication token, session cookie or API key.

CCS Disputes Confirmed Leak Claims

Cannabis Club Systems has pushed back against reports suggesting that a public data leak has been confirmed.

In a statement, CCS said it was notified by an independent security researcher about vulnerabilities affecting components of the PuffPal platform.

The company said it launched an investigation, implemented remediation measures, brought in additional technical specialists and reviewed affected systems.

CCS said PuffPal and its associated backend services were temporarily suspended as a precaution.

The company also said the reported vulnerabilities had been remediated and that previously identified endpoints were no longer accessible.

Company Says Investigation is Ongoing

CCS stressed that a vulnerability and a confirmed public data leak are not the same thing.

The company said it has not found verified evidence that personal information was publicly leaked, published or distributed.

However, CCS said investigations into the historical extent of any unauthorised access are still ongoing.

The company said it has notified the Irish Data Protection Commission and is cooperating with relevant authorities as part of its review.

For now, the key distinction is this: a researcher has alleged that sensitive records may have been accessible, while CCS says it has fixed the vulnerabilities and has not verified a public leak.