Passwords of two-million Marijuana Growers Exposed Online

GrowDiaries, a community of Marijuana growers suffered a data breach due to the use of a weak MD5 Hashing Function.

Image for post
Image for post

An Online community named GrowDiaries, where marijuana growers can discuss about their plants and engage with other farmers, suffered a data breach last month where 2 million passwords were leaked online.

Read: 46+ Must-Know Cyber Security Stats and Facts (2020)

The breach happened because of the company’s oversight. They accidentally left 2 Kibana apps unsecured on the internet without admin passwords.

Kibana apps are used for administrative purposes by the company’ IT and development teams. It allows users to manage databases through a single visual interface. Thus, it’s necessary to secure these apps to ensure the whole platform’s security

But in this report that was published on LinkedIn today, A security researcher named Bob Diachenko stated that, GrowDiaries overlooked it’s security and left two Kibana apps unsecured. These apps were left without a password since September 22, 2020.

He further said that these two apps allowed the hackers to access two sets of Elasticsearch databases, one had over 1.4 million user records and the second included more than two million user data points.

The first dataset consisted usernames, email addresses, and IP addresses, while the second set of database also exposed user blogs posted on the GrowDiaries site and users’ account passwords.

The passwords were hashed, but they were hashed using md5, which is a weak and crack-able hashing format.

Image for post
Image for post

Diachenko reported the unsecure Kibana apps to GrowDiaries on October 10, and the company secured the apps after 5 days

This was bound to happen as hackers are on the lookout for vulnerabilities every second. There is no official word from any GrowDiaries personnel as of yet.

Users with GrowDiaries accounts are recommended to change their passwords to make sure their accounts are safe in-case their data was leaked in the breach.

Written by

Student at Harding University | Cyber Security Editor

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store