Massive Data Breach Hits Millions of Cannabis Growers
GrowDiaries, a community platform for legal cannabis growers that allows them to track their production, became the latest victim of a data breach.
GrowDiaries started as a place that allows its users to do "detailed tracking of cannabis cultivation practices". It offers tracking tools and a digital journal as well. The company's own website states that GrowDiaries is "completely safe to use and store information on".
However, security researcher Volodymyr Diachenko discovered a GrowDiaries database containing 1.4 million user records, including IP addresses and e-mails, as well as 2 million further records related to user posts on the platform and account passwords that were at least stored in hashed form.
Still, as Diachenko pointed out, the hashing method used was MD5, which is far from secure - there actually are free tools online that offer decryption of strings that were hashed using MD5, so obtaining the plain text passwords of users using the exposed records would be child's play for bad actors.
The IP addresses in the database also included many that originate from US states and other countries, where growing cannabis is not legal.
The reason why the databases were accessible is that GrowDiaries left two unsecured Kibana platform instances. After his discovery of the faulty Kibana instances, Diachenko immediately alerted GrowDiaries, who secured the leaky data five days later.
With no further comments on the incident from GrowDiaries, Diachenko has no hard evidence that other third parties illegally accessed the data but thinks this is likely. In case the data was indeed accessed and portions of it stolen, this could spell a lot of trouble for GrowDiaries users, depending on who got hold of it and what they chose to do with it.
Apart from the very obvious password stuffing venue that bad actors might take with the decrypted passwords, there is the much worse possibility of extortion. With so many GrowDiaries users in countries where growing marijuana is illegal, they could be facing with very serious extortion threats that might have real legal consequences if bad actors follow through on any possible threats.
Sadly, this is another instance where no matter how secure and complex your password is, the fact that the service is storing it in a poorly encrypted format cancels out all your efforts to stay safe.