Weak Hash Exposes Millions of Passwords on Cannabis Site

A community website for cannabis growers has unwittingly exposed over 3.4 million user records, including information on individuals from countries where the plant is illegal, according to researchers.

Bob Diachenko discovered the unprotected database on October 10, although it was indexed by the BinaryEdge search engine on September 22. It belonged to GrowDiaries, a site which allows users to share updates on their cannabis plants.

The database contained two large indexes of user data related to Kibana, a data visualization tool commonly used alongside Elasticsearch.

The first trove, titled “users,” contained around 1.4 million records including email, IP address and username, whilst the second, named “reports,” featured around two million records including emails, usernames, user posts, image URLs and MD5-hashed account passwords.

Crucially, MD5 could have been easily cracked by attackers to view those credentials in plain text, Diachenko argued.

This would put the 1.4 million unique users at risk of credential stuffing attacks if they share these passwords across multiple other sites, assuming an attacker had accessed this data.

“Many users appear to be from locations where growing and using marijuana is not legal. They could face legal repercussions or possibly extortion if their growing activities come to light,” Diachenko continued.

“Lastly, GrowDiaries users should be on the lookout for targeted phishing attacks. Watch out for emails and messages from scammers posing as GrowDiaries or a related company. Never click on links or attachments in unsolicited emails and always verify the sender’s identity before responding.”

After providing additional details to the firm on October 12, GrowDiaries finally took action to secure the data three days later. Diachenko claimed that, although it wasn’t clear whether any other third parties had accessed the data during that time, “it seems likely.”

The firm’s assertion on its website that starting a diary is “100% anonymous and secure,” would also seem to run counter to the reality of this incident.

What’s Hot on Infosecurity Magazine?