(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
GrowDiaries, a community website of cannabis growers, has left email addresses, passwords, IP address records and posts of 1.4 million cannabis growers without a password.
A total 3.4 million user records exposed was discovered by cybersecurity researcher Volodymyr Bob Diachenko on October 10, 2020.
He found a database that included two large indexes of user data. The first had 1.4 million email id and password records, and second consisted of 2 million records with user posts and hashed account passwords.
According to Diachenko, the passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.
The IP addresses spanned a range of provinces and countries, in some of which marijuana is not legal.
“GrowDiaries acknowledged the incident but did not respond to my request for comment as of time of writing,” Diachenko said in a post.
After reporting the matter to GrowDiaries, they secured the data on October 15, but Diachenko does not know if any other third party accessed the data while it was exposed. He added that no payment data was exposed.
He said that users of GrowDiaries could be at risk of possible attacks and threats as attackers will use an automated bot to try the same email and password combinations on other sites and apps.
The users who belong to locations where growing and using marijuana is not legal could face legal repercussions or possibly extortion if their growing activities come to light.
The GrowDiaries website claims that starting a diary is “100% anonymous and secure,” and Diachenko said GrowDiaries has not been involved in any previous data incidents.
