Did this cannabis site expose the records of more than a million users?

Twitter icon

The passwords and private information of 1.4 million users in an online cannabis growing and journaling platform may have been exposed.

So alleges Volodymyr “Bob” Diachenko, an independent cybersecurity consultant, who posted a blog about his findings on LinkedIn.

<img "="" alt="“Legal cannabis has become a prosperous, new commercial sector generating significant revenues for the provinces and territories,” Schramm says, “and, omigosh, cyber criminals know how to follow the money." data-img-quality="80" data-cke-saved-src="https://www.thegrowthop.com/wp-content/uploads/2019/04/1a_GettyImages-109913283-e1553277487990.jpg?quality=80&strip=all&w=96" src="https://www.thegrowthop.com/wp-content/uploads/2019/04/1a_GettyImages-109913283-e1553277487990.jpg?quality=80&strip=all&w=96" srcset="https://www.thegrowthop.com/wp-content/uploads/2019/04/1a_GettyImages-109913283-e1553277487990.jpg?h=96&strip=all&quality=80, https://www.thegrowthop.com/wp-content/uploads/2019/04/1a_GettyImages-109913283-e1553277487990.jpg?h=192&strip=all&quality=80 2x, https://www.thegrowthop.com/wp-content/uploads/2019/04/1a_GettyImages-109913283-e1553277487990.jpg?h=288&strip=all&quality=80 3x">

Diachenko says that GrowDiaries, an online community of cannabis growers, exposed more than 3.4 million user records on the web without a password.

Diachenko alleges that he discovered the unprotected database last month and it was secured five days after he alerted the company.

“It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords. The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text,” he writes, adding that many of the users are based in countries where cannabis cultivation remains illegal.

In response to Diachenko, GrowDiaries clarified they are not based in the U.S., that the site has about 30,000 registered users, and that GrowDiaries never acknowledged the incident, but only replied to the alert.

In his blog post, Diachenko writes that he works with a team that scans the web for accessible databases that contain personal information

“Once we discover who the information belongs to, we immediately notify them of the leak so that the data can be secured,” he writes. “We report the data exposure in an article like this one to help inform readers about this particular exposure and raise awareness regarding data leaks in general. Our ultimate goal is to minimize the potential damage caused as a result of the exposure.”

He recommends that users update their passwords and stay vigilant about targeted phishing attacks.

“Watch out for emails and messages from scammers posing as GrowDiaries or a related company,” he writes. “Never click on links or attachments in unsolicited emails and always verify the sender’s identity before responding.”

A report published earlier this year by Experian, a consumer credit reporting company, identified cannabis websites as a prime target for cyberattacks.

“Many burgeoning companies, like cannabis retailers, may not fully invest in protective, cybersecurity measures as core parts of their business models due to competing priorities,” reads the report, titled Data Breach Industry Forecast.“While any retailer is always a target for cybercriminals, cannabis retailers present a bigger target due to the nature of their business.”

In 2018, an individual accessed the shipping information of approximately 4,500 orders from the Ontario Cannabis Store through a Canada Postdelivery tracking tool.

e-mail icon Facebook icon Twitter icon LinkedIn icon Reddit icon
Rate this article: