from the busted dept.
GrowDiaries Exposes Emails, Passwords of 1.4M Cannabis Growers:
A database linked to GrowDiaries, an online community of cannabis growers, has exposed more than a million users' email addresses, passwords, IP address records and posts.
GrowDiaries is a robust online community of cannabis growing enthusiasts from around the world, where they can share tips, tricks and pictures of their progress. On Oct. 10, researcher Volodymyr "Bob" Diachenko found a database linked to GrowDiaries with 1.4 million email and IP address records, along with an additional 2 million user posts, left accessible online.
These 2 million posts were protected by passwords, but Diachenco found GrowDiaries was using MD5 to hash out passwords, which is easily compromised and leaves members vulnerable to malicious actors, according to Diachenko.
Millions of marijuana growers hit in major data breach:
An online community of marijuana growers has suffered a major data breach after two related apps were made accessible online without administrative passwords.
GrowDiaries was founded to provide support and practical advice for cannabis growers, but identities can remain anonymous, with only usernames visible on the site.
However, security researcher Bob Diachenko has revealed that sensitive information relating to 1.4 million users of the GrowDiaries site, including passwords, email addresses and IP addresses, has been exposed. The breach occurred after two Kibana apps – open source applications that are usually reserved for a company's development teams and IT staff – were left unsecured since September 22.
Although the exposed passwords were encrypted, they were done so using the MD5 hash generator. This method has been cracked previously, meaning attackers could still potentially reveal the passwords in plain-text form.
Cannabis growing community site exposes 3.4 million user records and passwords:
GrowDiaries, a community website where cannabis growers can journal and share updates about their plants, has exposed more than 3.4 million user records on the web without a password.
I discovered the unprotected database on October 10, 2020. It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords. The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.
The IP addresses span a range of provinces and countries, in some of which marijuana is not legal.
GrowDiaries acknowledged the incident but did not respond to my request for comment as of time of writing.