A security researcher has discovered an unprotected database owned by GrowDiaries, a website where cannabis growers talk about their plants. The number of exposed records exceeds 3.4 million.
The problem of databases left open online is much more common than it should be. Sometimes, these databases are discovered by accident by security researchers, but not all are so lucky. Numerous other misconfigured databases likely lie in the open right now, with no one the wiser.
“I discovered the unprotected database on October 10, 2020,” said independent security researcher Volodymyr “Bob” Diachenko. “It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords. The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.”
As expected, the database has a ton of information that’s extremely valuable on the dark web. One of those pieces of information consists of IP addresses, which belong to users in countries where cannabis is not legal.
More precisely, GrowDiaries exposed two unsecured Kibana instances. It’s difficult to tell if third parties accessed the databases, but the research says that it’s likely. The only good news is that the databases were quickly taken offline.
Leaked data includes email address, IP addresses, usernames, user posts, MD5-hashed passwords, image URLs and post timestamps. While the passwords are not in plain text, MD5 is not sufficient as a method of encryption.
“The passwords, once cracked, could be used in credential stuffing attacks on users’ other accounts,” the researcher said. “Attackers will use an automated bot to try the same email and password combinations on other sites and apps. Many users appear to be from locations where growing and using marijuana is not legal. They could face legal repercussions or possibly extortion if their growing activities come to light.”
GrowDiaries users should immediately change all of their credentials and check if the same credentials are not used on other services.