Massive Data Breach Hits Millions of Cannabis Growers

GrowDiaries, a community platform for legal cannabis growers that allows them to track their production, became the latest victim of a data breach.

GrowDiaries started as a place that allows its users to do "detailed tracking of cannabis cultivation practices". It offers tracking tools and a digital journal as well. The company's own website states that GrowDiaries is "completely safe to use and store information on".

However, security researcher Volodymyr Diachenko discovered a GrowDiaries database containing 1.4 million user records, including IP addresses and e-mails, as well as 2 million further records related to user posts on the platform and account passwords that were at least stored in hashed form.

Still, as Diachenko pointed out, the hashing method used was MD5, which is far from secure - there actually are free tools online that offer decryption of strings that were hashed using MD5, so obtaining the plain text passwords of users using the exposed records would be child's play for bad actors.

The IP addresses in the database also included many that originate from US states and other countries, where growing cannabis is not legal.

The reason why the databases were accessible is that GrowDiaries left two unsecured Kibana platform instances. After his discovery of the faulty Kibana instances, Diachenko immediately alerted GrowDiaries, who secured the leaky data five days later.

With no further comments on the incident from GrowDiaries, Diachenko has no hard evidence that other third parties illegally accessed the data but thinks this is likely. In case the data was indeed accessed and portions of it stolen, this could spell a lot of trouble for GrowDiaries users, depending on who got hold of it and what they chose to do with it.

Apart from the very obvious password stuffing venue that bad actors might take with the decrypted passwords, there is the much worse possibility of extortion. With so many GrowDiaries users in countries where growing marijuana is illegal, they could be facing with very serious extortion threats that might have real legal consequences if bad actors follow through on any possible threats.

Sadly, this is another instance where no matter how secure and complex your password is, the fact that the service is storing it in a poorly encrypted format cancels out all your efforts to stay safe.

By Zaib
November 6, 2020
Computer Security
English
November 6, 2020
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Computer Security

Millions of People in India Might Have Suffered a Breach of Their Medical Data

According to a news report published by TechCrunch, Dr. Lal PathLabs, a Delhi-based healthcare provider and medical testing laboratory, left a gaping hole in its database for months. A publicly accessible database was... Read more

October 21, 2020
News

A Data Breach at Adidas' Online Shop Hits Millions

Large sporting events like the FIFA World Cup are very important for sports apparel manufacturers. With millions of eyeballs focused on people wearing their products, the attention paid to the brand is enormous. Last... Read more

July 5, 2018
Computer Security

Personal Data of 186,000 Australians Leaked In Service NSW Data Breach

A close-up review of a security breach that took place back in May 2020 revealed that hackers got access to the data of 186,000 Australian citizens. The attack targeted the email accounts of nearly 50 staff members of... Read more

September 23, 2020
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.