Researcher Volodymyr “Bob” Diachenko reported a data breach linked to GrowDiaries with at least 1.4 million email and IP address records, along with 2 million user posts that are unsecured and accessible.
In his November 3 report, he claimed that private data including passwords, posts, email addresses, and IP addresses were exposed between September 22 and October 15.
The breach allegedly occurred after two open-source application Kibana apps, which are usually reserved for developers were left open.
GrowDiaries cannabis community outed
GrowDiaries is an online community and journaling platform designed to support and advise marijuana growers. The platform has a large and strong membership mainly cannabis growers and enthusiasts around the world. The chat and journaling features allow them to share photos, tips, and advice to their diverse user group.
It’s important to note that many members on the site are from countries where pot is illegal. Identities are supposed to be anonymous, with only usernames visible on the site.
The open database exposed encrypted passwords but the encryption tool used was the MD5 hash generator. This encryption method provides very little security and has been cracked on many sites previously. Attackers could still reveal the GrowDiaries’ passwords in plain-text.
“I do not know if any other third parties accessed the data while it was exposed, but it seems likely,” Diachenko wrote.
After reporting the vulnerability, GrowDiaries asked for additional details and by Oct. 15, the data has been secured, he added.
For the GrowDiaries community, passwords must be changed as soon as possible. If not, attackers could potentially use any stolen credentials to attempt fraudulent activity or blackmail.
For example, in Malaysia, selling drugs is punishable by death and a simple possession conviction could mean a lengthy prison sentence. In countries including Dubai, Thailand, Singapore, and the Philippines growers and users could be in prison for many years.
GrowDiaries says site data is secure
A representative from GrowDiaries disputed Diachenko’s report in an email, asserting that the company “never acknowledged the incident” and that the data that was allegedly compromised was only test data.
GrowDiaries also said it is based outside of the United States, and only has about 30,000 accounts. It reassured users that their data will be protected on the platform.
“GrowDiaries is completely safe to use and store information on,” according to the FAQ section on site. “We do not store or share any personal information. All metadata is erased.”
The Magecart hacker group, which commits payment skimming scams, allegedly attacked precious-metals dealer JM Bullion. And the company is still answering questions about why it took months to notify customers.
Have a story you want USA Herald to cover? Submit a tip here and if we think it’s newsworthy, we’ll follow up on it.
Want to contribute a story? We also accept article submissions – check out our writer’s guidelines here.