Cannabis growing community site exposes 3.4 million user records and passwords

TRADELABOR has more than 20 years of experience in the control and treatment of air, working with an experienced and qualified technical staff and with the most advanced technology in this area, which together guarantee the quality of the services provided.



GrowDiaries, a community website where cannabis growers can journal and share updates about their plants, has exposed more than 3.4 million user records on the web without a password.

I discovered the unprotected database on October 10, 2020. It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords. The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.

The IP addresses span a range of provinces and countries, in some of which marijuana is not legal.

GrowDiaries acknowledged the incident but did not respond to my request for comment as of time of writing.

Timeline of the exposure

No alt text provided for this image

GrowDiaries exposed two identical unsecured Kibana instances. Here’s what I know happened:

  • September 22, 2020: The database was indexed by search engine BinaryEdge
  • October 10, 2020: I discovered the database and immediately alerted GrowDiaries.
  • October 12, 2020: GrowDiaries responded to me asking for additional details.
  • October 15, 2020: The data was secured.

I do not know if any other third parties accessed the data while it was exposed, but it seems likely.

What data was exposed?

The database included two large indexes of user data.

No alt text provided for this image

The first, called “users”, consisted of 1,427,347 records containing:

  • Email address
  • IP address
  • Username

The second, called “reports”, included about two million records:

  • User posts including grow updates and questions and answers
  • MD5-hashed account password
  • Image URLs
  • Post timestamps
  • Email address
  • Username

The passwords are of particular concern. They were hashed (encrypted) with MD5, a deprecated algorithm with a number of known security flaws. If an attacker managed to access the data, they could easily crack the passwords.

No payment data was exposed.

Dangers of exposed data

Users of GrowDiaries could be at risk of a number of possible attacks and threats from this exposure.

The passwords, once cracked, could be used in credential stuffing attacks on users’ other accounts. Attackers will use an automated bot to try the same email and password combinations on other sites and apps. To avoid credential stuffing attacks, always use a unique password for every account.

Many users appear to be from locations where growing and using marijuana is not legal. They could face legal repercussions or possibly extortion if their growing activities come to light.

Lastly, GrowDiaries users should be on the lookout for targeted phishing attacks. Watch out for emails and messages from scammers posing as GrowDiaries or a related company. Never click on links or attachments in unsolicited emails and always verify the sender’s identity before responding.


No alt text provided for this image

US-based GrowDiaries lets users track their cannabis growing progress and share updates with fellow users. Users can compare their grow to other users and previous cycles, get advice from fellow cultivators, and win prizes. A diary can include photos, text, and a variety of factors that go into cannabis cultivation. Typically, users post updates about their plants about once per week.

Although we aren’t certain how many users GrowDiaries has, it seems likely that all users were affected by this data incident. The GrowDiaries website claims that starting a diary is “100% anonymous and secure,” but this incident certainly suggests otherwise.

As far as I know, GrowDiaries has not been involved in any previous data incidents.

Why we reported this data incident

Our team works to scan the web for accessible databases that contain personal information. When we come across exposed data, we investigate the nature of the information as well as who is responsible for it. We also determine who might be affected as a result of the exposure and the potential impact.

Once we discover who the information belongs to, we immediately notify them of the leak so that the data can be secured. Finally, we report the data exposure in an article like this one to help inform readers about this particular exposure and raise awareness regarding data leaks in general. Our ultimate goal is to minimize the potential damage caused as a result of the exposure.

Let’s educate ourselves!

As we see a never-ending loop of these incidents, I have decided to offer a live educational session (webinar or offline workshop) for raising cyber security awareness within your organization, to prevent potential issues in the future. I use real world examples and promote that data security is important to every employee and at every level inside the organization.


Continue at:

The text above is owned by the site above referred.

Here is only a small part of the article, for more please follow the link

Also see:


Manostaxx – Industrial Management Consulting

Leave a Reply

Your email address will not be published. Required fields are marked *