Configuration snafu exposes passwords for two million marijuana growers

Passwords for GrowDiaries users were stored using the weak MD5 hashing function, putting customer accounts at risk of attacks.
Written by Catalin Cimpanu, Contributor

Screengrab of the GrowDiaries website

GrowDiaries, an online community where marijuana growers can blog about their plants and interact with other farmers, has suffered a security breach in September this year.

The breach occurred after the company left two Kibana apps exposed on the internet without administrative passwords.

Kibana apps are normally used by a company's IT and development staff, as the app allows programmers to manage Elasticsearch databases via a simple web-based visual interface.

Due to its native features, securing Kibana apps is just as important as securing the databases themselves.

But in a report published today on LinkedIn, Bob Diachenko, a security researcher known for discovering and reporting unsecured databases, said GrowDiaries failed to secure two of its Kibana apps, which appear to have been left exposed online without a password since September 22, 2020.

Diachenko says these two Kibana apps granted attackers access to two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points.

The first exposed usernames, email addresses, and IP addresses, while the second database also exposed user articles posted on the GrowDiaries site and users' account passwords.

While the passwords were stored in a hashed format, Diachenko said the format was MD5, a hashing function known to be insecure and crackable (allowing threat actors to determine the cleartext version of each password).

Image: Bob Diachenko

Diachenko said he reported the exposed Kibana apps to GrowDiaries on October 10, with the company securing its infrastructure five days later.

The Ukrainian security researcher said that while GrowDiaries did intervene to secure its server, the company refused other communications, so he was unable to determine if someone else accessed the company's Elasticsearch databases to download user data.

However, Diachenko said that something like this happening was "likely" as he is certainly not the only one looking for accidentally exposed databases.

A GrowDiaries spokesperson did not return an additional request for comment from ZDNet before this article's publication.

GrowDiaries users are advised to change their passwords, just in case the data made it into someone else's hands. With the passwords stored in MD5 format, their old passwords are not secure, and accounts are in danger of getting hijacked.

Data leaks: The most common sources

Editorial standards