Article by Sam Riches, London Free Press
The passwords and private information of 1.4 million users in an online cannabis growing and journaling platform may have been exposed.
So alleges Volodymyr “Bob” Diachenko, an independent cybersecurity consultant, who posted a blog about his findings on LinkedIn.
Diachenko says that GrowDiaries, an online community of cannabis growers, exposed more than 3.4 million user records on the web without a password.
Diachenko alleges that he discovered the unprotected database last month and it was secured five days after he alerted the company.
“It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords. The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text,” he writes, adding that many of the users are based in countries where cannabis cultivation remains illegal.
In response to Diachenko, GrowDiaries clarified they are not based in the U.S., that the site has about 30,000 registered users, and that GrowDiaries never acknowledged the incident, but only replied to the alert.
In his blog post, Diachenko writes that he works with a team that scans the web for accessible databases that contain personal information
“Once we discover who the information belongs to, we immediately notify them of the leak so that the data can be secured,” he writes. “We report the data exposure in an article like this one to help inform readers about this particular exposure and raise awareness regarding data leaks in general. Our ultimate goal is to minimize the potential damage caused as a result of the exposure.”
He recommends that users update their passwords and stay vigilant about targeted phishing attacks.