Diachenko says that GrowDiaries, an online community of cannabis growers, exposed more than 3.4 million user records on the web without a password.
Diachenko alleges that he discovered the unprotected database last month and it was secured five days after he alerted the company.
“It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords. The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text,” he writes, adding that many of the users are based in countries where cannabis cultivation remains illegal.