An online community of marijuana growers has suffered a major data breach after two related apps were made accessible online without administrative passwords.
GrowDiaries was founded to provide support and practical advice for cannabis growers, but identities can remain anonymous, with only usernames visible on the site.
However, security researcher Bob Diachenko has revealed that sensitive information relating to 1.4 million users of the GrowDiaries site, including passwords, email addresses and IP addresses, has been exposed. The breach occurred after two Kibana apps – open source applications that are usually reserved for a company’s development teams and IT staff – were left unsecured since September 22.
Although the exposed passwords were encrypted, they were done so using the MD5 hash generator. This method has been cracked previously, meaning attackers could still potentially reveal the passwords in plain-text form.
Budding criminal activity
Diachenko informed GrowDiaries of the breach and the online platform moved to secure its databases five days later. However, further communication has not been possible. It remains unclear if threat actors were able to obtain user information while it was exposed.
For members of the GrowDiaries community, it is important that passwords are changed as soon as possible. If not, cyberattackers could potentially use any ill-gotten credentials to attempt fraudulent activity.
They should also be extra vigilant against phishing activity, as threat actors could be preparing false emails in order to extract further information or install malware. One other concern, stems from the fact that many GrowDiaries users appear to be based in countries where it is illegal to grow marijuana. Threat actors that have accessed data from the exposed GrowDiaries database could attempt to blackmail individuals by threatening to expose their activity.