Weak Hash Exposes Millions of Passwords on Cannabis Site

  • A community website for cannabis growers has unwittingly uncovered about 3.4 million consumer documents, including info on individuals from countries wherever the plant is unlawful, according to scientists.

    Bob Diachenko identified the unprotected databases on Oct 10, while it was indexed by the BinaryEdge look for motor on September 22. It belonged to GrowDiaries, a site which will allow consumers to share updates on their cannabis crops.

    The database contained two large indexes of user details connected to Kibana, a information visualization instrument typically applied along with Elasticsearch.

    The very first trove, titled “users,” contained about 1.4 million documents together with email, IP address and username, whilst the 2nd, named “reports,” showcased all over two million data such as e-mails, usernames, user posts, picture URLs and MD5-hashed account passwords.

    Crucially, MD5 could have been quickly cracked by attackers to watch all those qualifications in plain textual content, Diachenko argued.

    This would put the 1.4 million exceptional users at risk of credential stuffing assaults if they share these passwords across multiple other internet sites, assuming an attacker had accessed this information.

    “Many end users seem to be from areas exactly where growing and utilizing marijuana is not legal. They could face authorized repercussions or perhaps extortion if their growing pursuits come to light,” Diachenko ongoing.

    “Lastly, GrowDiaries customers should really be on the lookout for focused phishing attacks. Observe out for e-mail and messages from scammers posing as GrowDiaries or a similar enterprise. By no means simply click on hyperlinks or attachments in unsolicited emails and constantly verify the sender’s identity ahead of responding.”

    Soon after providing extra information to the business on Oct 12, GrowDiaries eventually took action to safe the data 3 days later on. Diachenko claimed that, despite the fact that it wasn’t crystal clear whether or not any other 3rd get-togethers experienced accessed the details all through that time, “it looks likely.”

    The firm’s assertion on its web-site that beginning a diary is “100% nameless and safe,” would also appear to run counter to the truth of this incident.