GrowDiaries Exposes Emails, Passwords of 1.4M Cannabis Growers


Cannabis journaling platform GrowDiaries exposed more than 3.4 million user records online, many from countries where pot is illegal.

A database linked to GrowDiaries, an online community of cannabis growers, has exposed more than a million users’ email addresses, passwords, IP address records and posts.

GrowDiaries is a robust online community of cannabis growing enthusiasts from around the world, where they can share tips, tricks and pictures of their progress. On Oct. 10, researcher Volodymyr “Bob” Diachenko found a database linked to GrowDiaries with 1.4 million email and IP address records, along with an additional 2 million user posts, left accessible online.

These 2 million posts were protected by passwords, but Diachenco found GrowDiaries was using MD5 to hash out passwords, which is easily compromised and leaves members vulnerable to malicious actors, according to Diachenko.

Legal Repercussions of Data Breach

“I do not know if any other third parties accessed the data while it was exposed, but it seems likely,” Diachenko wrote.

He added after reporting the vulnerability, GrowDiaries asked for additional details and by Oct. 15, the data has been secured.

“Many users appear to be from locations where growing and using marijuana is not legal,” Diachenko wrote. “They could face legal repercussions or possibly extortion if their growing activities come to light.”

In Malaysia, selling drugs is punishable by death and a possession conviction in countries including Dubai, Singapore, The Philippines and many others, often comes with a lengthy prison stay.

What GrowDiaries Users Should Know

GrowDiaries has not responded to Threatpost’s inquiries about the reported breach, however the site’s FAQ section reassures users their data will be protected on the platform.

“GrowDiaries is completely safe to use and store information on,” according to the GrowDiaries site. “We do not store or share any personal information. All meta data is erased.”

The company recommends using the Tor browser for added anonymity.

Diachenko said, GrowDiaries members should be on the lookout for phishing attacks and to update passwords across all platforms because the compromised credentials could be used in “stuffing” attacks, which he explains involves automated bots plugging in stolen passwords and usernames in various combinations in an attempt to breach other apps and sites.

“Organizations have a responsibility for protecting their customers’ personally identifiable information, even if it’s just a username, email address, password, and other sensitive contact information,” James McQuiggan, from KnowBe4 told Threatpost. “Collecting data from users should be securely protected with current cryptography methods and limit open internet access.”

McQuiggan recommended that the implementation of multi-factor authentication should be standard security precautions for companies like GrowDiaries.

Booming Market for Data Breaches

Recent headlines suggest the market for stolen data is booming. Just this week 34 million user records showed up on the underground market, reportedly collected from 17 separate data breaches.

And even the biggest brands are having a hard time keeping their data secure. In late October, Home Depot Canada acknowledged that it exposed the names, addresses, email addresses, order details and partial credit card information when it blasted out order confirmations  to hundreds of people.

UNC1945 is yet another threat group which has popped up recently, making its name targeting telecom and financial companies using an existing Oracle flaw.

Yet another group, Magecart, purveyors of large-scale payment skimming scams, claimed yet another victim this week, precious-metals dealer JM Bullion. Making matters worse, the company took months to notify customers.

While businesses and platforms large and small struggle find ways to push back against the rising tide of cybersecurity threats, it continues to be critical for users to take charge of protecting their own data, whenever possible — even in the stoner fantasy land of GrowDiaries journaling.

“Although we aren’t certain how many users GrowDiaries has, it seems likely that all users were affected by this data incident,” Diachenko wrote. “The GrowDiaries website claims that starting a diary is ‘100% anonymous and secure,’ but this incident certainly suggests otherwise.”

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.