Nevada's state government website has leaked the personal data on over 11,700 applicants for dispensing medical marijuana in the state.
Each application, eight pages in length, includes the person's full name, home address, citizenship, and even their weight and height, race, and eye and hair color. The applications also include the applicant's citizenship, their driving license number (where applicable), and social security number.
We left a number of voicemails of applicants prior to publication. One dispensary based in Las Vegas, who did not want to be named, confirmed after we posted that their records were accurate.
But it's not immediately clear how many years the applications date back.
Security researcher Justin Shafer found the bug in the state's website portal, allowing anyone with the right web address to access and enumerate the thousands of applications.
Though the medical marijuana portal can be found with a crafted Google search query, we're not publishing the web address out of caution until the bug is fixed.
Martha Framsted, a spokesperson for Nevada's Dept. Health and Human Services, which runs the medical marijuana application program, told ZDNet that the website has been pulled offline to limit the vulnerability.
The leaked data was a "portion" of one of several databases, said Framsted.
The state government will be notifying applicants in the next few days of the leak in line with state law, she added.
Nevada was one of the first states to legalize medical uses of marijuana during the 2000 election, but uses were limited to patients with cancer, HIV and AIDS, as well as chronic conditions, such as glaucoma and severe pain, and had a valid doctor's note.
The state most recently voted to legalize recreational use of the drug.