Cannabis growing community site exposes 3.4 million user rec

[Blackie]

Cannabis growing community site exposes 3.4 million user records and passwords
Published on November 3, 2020
Volodymyr "Bob" Diachenko
Independent Cyber Security Consultant, Incident Response and Communications, Owner at SecurityDiscovery.com

Passwords, posts, and other data about 1.4 million users exposed without any protection.

GrowDiaries, a community website where cannabis growers can journal and share updates about their plants, has exposed more than 3.4 million user records on the web without a password.

I discovered the unprotected database on October 10, 2020. It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords. The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.

The IP addresses span a range of provinces and countries, in some of which marijuana is not legal.

GrowDiaries acknowledged the incident but did not respond to my request for comment as of time of writing.
Timeline of the exposure

No alt text provided for this image

GrowDiaries exposed two identical unsecured Kibana instances. Here’s what I know happened:

September 22, 2020: The database was indexed by search engine BinaryEdge
October 10, 2020: I discovered the database and immediately alerted GrowDiaries.
October 12, 2020: GrowDiaries responded to me asking for additional details.
October 15, 2020: The data was secured.

I do not know if any other third parties accessed the data while it was exposed, but it seems likely.
What data was exposed?

The database included two large indexes of user data.

No alt text provided for this image

The first, called “users”, consisted of 1,427,347 records containing:

Email address
IP address
Username

The second, called “reports”, included about two million records:

User posts including grow updates and questions and answers
MD5-hashed account password
Image URLs
Post timestamps
Email address
Username

The passwords are of particular concern. They were hashed (encrypted) with MD5, a deprecated algorithm with a number of known security flaws. If an attacker managed to access the data, they could easily crack the passwords.

No payment data was exposed.

Dangers of exposed data

Users of GrowDiaries could be at risk of a number of possible attacks and threats from this exposure.

The passwords, once cracked, could be used in credential stuffing attacks on users’ other accounts. Attackers will use an automated bot to try the same email and password combinations on other sites and apps. To avoid credential stuffing attacks, always use a unique password for every account.

Many users appear to be from locations where growing and using marijuana is not legal. They could face legal repercussions or possibly extortion if their growing activities come to light.

Lastly, GrowDiaries users should be on the lookout for targeted phishing attacks. Watch out for emails and messages from scammers posing as GrowDiaries or a related company. Never click on links or attachments in unsolicited emails and always verify the sender’s identity before responding.

About GrowDiaries.com

No alt text provided for this image

US-based GrowDiaries lets users track their cannabis growing progress and share updates with fellow users. Users can compare their grow to other users and previous cycles, get advice from fellow cultivators, and win prizes. A diary can include photos, text, and a variety of factors that go into cannabis cultivation. Typically, users post updates about their plants about once per week.

Although we aren’t certain how many users GrowDiaries has, it seems likely that all users were affected by this data incident. The GrowDiaries website claims that starting a diary is “100% anonymous and secure,” but this incident certainly suggests otherwise.

As far as I know, GrowDiaries has not been involved in any previous data incidents.

Why we reported this data incident

Our team works to scan the web for accessible databases that contain personal information. When we come across exposed data, we investigate the nature of the information as well as who is responsible for it. We also determine who might be affected as a result of the exposure and the potential impact.

Once we discover who the information belongs to, we immediately notify them of the leak so that the data can be secured. Finally, we report the data exposure in an article like this one to help inform readers about this particular exposure and raise awareness regarding data leaks in general. Our ultimate goal is to minimize the potential damage caused as a result of the exposure.

Let's educate ourselves!

As we see a never-ending loop of these incidents, I have decided to offer a live educational session (webinar or offline workshop) for raising cyber security awareness within your organization, to prevent potential issues in the future. I use real world examples and promote that data security is important to every employee and at every level inside the organization.

It can be an online webinar session (estimated 1h long), with Q&A session or an offline meeting in your offices, live interaction with your team (workshop included).

Proposed content includes:

Description of tools and techniques we use to identify vulnerabilities, PII and sensitive data online: no hacking, just google-it.
How to ensure your data / your company’s data is not exposed to the public internet, security tips from professionals
Recommendations and best practice on main noSQL databases configurations and maintenance (MongoDB, CouchDB, Elasticsearch)
Case studies: analyzing related data appearance online
Live search for data and master class

Let’s educate your team!

Additional services include classic security audits (with OSINT monitoring), such as black/graybox penetration tests and vulnerability scans. Our team (based in Hamburg and Kyiv) will assess the overall network and cloud security including the network perimeter, devices residing on network segments and the Internet for potential vulnerabilities that could expose critical organizational systems and applications; customer information; organization information, and financial assets.

Please feel free to send your requests to bob(at)securitydiscovery.com.

[Intrinsic]

Howdy Blackie, thanks man. Although I'm going to critique.

Passwords, posts, and other data about 1.4 million users exposed without any protection

GrowDiaries, a community website where cannabis growers can journal and share updates about their plants, has exposed more than 3.4 million user records on the web without a password.

3.4 million is questionable high.

If someone got my password all they would get is PMs. Shouldn't be a noteworthy breach.

The problem isn't the hack The problem is GrowDiaries holds an amazing amount of personal information especially for an anonymous cannabis site. Here is what their site says they collect and share from their "privacy policy":

... we collect the following types of information from you:

Personal data: full name; phone number; shipping information;Email address; Any other information that you provide us, such as diaries reviews, content, and bio.

 We automatically collect information about how you use our services, for example, pages you have viewed. We also collect certain technical information about your device including your Internet protocol address, geo-location information, your browser type, language and identifying information, your operating system and application version, device types, device model and manufacturer, device identifiers, and your device operating system type and version.

 Cookies and Tracking Technologies: We also use cookies, Web beacons, and URL information to gather information regarding the date and time of your visit and the information for which you searched and which you viewed. Cookies are small pieces of information that a website sends to your computer's hard drive while you are viewing a website. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which usually stay on your computer until you delete them) to. We also use cookies for data analytics purposes, including from Google Analytics. We use Web beacons to manage cookies, count visits, and to learn what marketing works and what does not. We also use Web beacons to tell if you open or act on our emails

[Jesús Malverde]

Wow. Just wow. That "privacy policy" describes a LE honeypot operation more than it does a legit cannaboard.

[rSin]

Certain hackers would be laughing their heads off... Good thing im anti social...

[Jesús Malverde]

Back when PG was still around late in the game Gad was always pushing social media tie-ins desperate for clicks/revenue, which struck me as a spectacularly bad idea from a user privacy perspective. I tried to convince him to set up the user gallery so that EXIF data would automatically be stripped from images (pretty standard shit really). He didn't like that idea either. Webmasters, owners and top-level admin in general don't GAF about user privacy at all, they want tie-ins, clicks, ad revenue, that shit's all they care about. We're lucky to have Smokes. If the site owner is doing it for money, the users' interests are the last thing they will be worrying about. Capitalists have no morals.