GrowDiaries, an online community of marijuana growers, has suffered a major data breach.
Security researcher Bob Diachenko reported that GrowDiaries left two of its Kibana apps -- an open-source analytics and visualization platform normally used by a company’s development and IT staff -- exposed online without administrative passwords since September 22, 2020.
One of the unsecured Kibana apps led to the exposure of sensitive information belonging to 1.4 million users of the site. Information exposed included passwords, email addresses, and IP addresses. The other database exposed user articles posted on the GrowDiaries site, as well as users’ account passwords.
Diachenko said he discovered the unprotected database on October 10.
“It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords,” he wrote. “The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.”
GrowDiaries secured its server less than a week after Diachenko notified site administrators of the issue. Although the site has been secured, GrowDiaries users are still urged to change their passwords just in case their old password was exposed.
Diachenko said he couldn’t say for sure if any other third-parties accessed the data while it was unsecured, but it “seems likely.”