A community site for hashish growers has unwittingly exposed above 3.4 million person data, together with information and facts on individuals from international locations where the plant is unlawful, in accordance to scientists.
Bob Diachenko found the unprotected database on October 10, although it was indexed by the BinaryEdge research engine on September 22. It belonged to GrowDiaries, a web-site which permits end users to share updates on their cannabis vegetation.
The databases contained two substantial indexes of user data associated to Kibana, a information visualization resource typically made use of together with Elasticsearch.
The first trove, titled “users,” contained around 1.4 million information including email, IP handle and username, although the 2nd, named “reports,” featured all around two million data like e-mail, usernames, consumer posts, image URLs and MD5-hashed account passwords.
Crucially, MD5 could have been simply cracked by attackers to view individuals credentials in basic textual content, Diachenko argued.
This would set the 1.4 million one of a kind people at risk of credential stuffing attacks if they share these passwords throughout multiple other web sites, assuming an attacker experienced accessed this details.
“Many users look to be from places wherever expanding and applying marijuana is not lawful. They could facial area lawful repercussions or quite possibly extortion if their developing activities occur to light,” Diachenko ongoing.
“Lastly, GrowDiaries people should really be on the lookout for targeted phishing attacks. Check out out for emails and messages from scammers posing as GrowDiaries or a related corporation. Under no circumstances click on on backlinks or attachments in unsolicited email messages and normally validate the sender’s identification in advance of responding.”
Immediately after supplying added details to the organization on October 12, GrowDiaries finally took motion to secure the facts three times afterwards. Diachenko claimed that, although it was not apparent whether any other 3rd events experienced accessed the information for the duration of that time, “it seems probably.”
The firm’s assertion on its web-site that setting up a diary is “100% anonymous and secure,” would also appear to be to operate counter to the actuality of this incident.
Some parts of this article are sourced from: