GrowDiaries, a community of Marijuana growers suffered a data breach due to the use of a weak MD5 Hashing Function.
An Online community named GrowDiaries, where marijuana growers can discuss about their plants and engage with other farmers, suffered a data breach last month where 2 million passwords were leaked online.
The breach happened because of the company’s oversight. They accidentally left 2 Kibana apps unsecured on the internet without admin passwords.
Kibana apps are used for administrative purposes by the company’ IT and development teams. It allows users to manage databases through a single visual interface. Thus, it’s necessary to secure these apps to ensure the whole platform’s security
But in this report that was published on LinkedIn today, A security researcher named Bob Diachenko stated that, GrowDiaries overlooked it’s security and left two Kibana apps unsecured. These apps were left without a password since September 22, 2020.
He further said that these two apps allowed the hackers to access two sets of Elasticsearch databases, one had over 1.4 million user records and the second included more than two million user data points.
The first dataset consisted usernames, email addresses, and IP addresses, while the second set of database also exposed user blogs posted on the GrowDiaries site and users’ account passwords.
The passwords were hashed, but they were hashed using md5, which is a weak and crack-able hashing format.
Diachenko reported the unsecure Kibana apps to GrowDiaries on October 10, and the company secured the apps after 5 days
This was bound to happen as hackers are on the lookout for vulnerabilities every second. There is no official word from any GrowDiaries personnel as of yet.
Users with GrowDiaries accounts are recommended to change their passwords to make sure their accounts are safe in-case their data was leaked in the breach.