Cyber Security Specialist Alleges “GrowDiaries’ User Data Has Been Compromised

Volodymyr “Bob” Diachenko says on his linked in page

GrowDiaries, a community website where cannabis growers can journal and share updates about their plants, has exposed more than 3.4 million user records on the web without a password.

Firstly here’s his update on the orginal article

UPDATE: Shortly after publishing this report, I received comments from GrowDiaries and wanted to highlight as follow:

  • GrowDiaries is not a US-based company;
  • Total number of the exposed records do not represent the total number of unique users affected in the exposure. There is a lot of duplicates in the collections. As per company’s comment, GrowDiaries registered users count is around 30,000 ;
  • GrowDiaries never acknowledged the incident, but only replied to the initial alert.

Secondly here is the Grow Diaries website


Here is what he alleges…

GrowDiaries, a community website where cannabis growers can journal and share updates about their plants, has exposed more than 3.4 million user records on the web without a password.

I discovered the unprotected database on October 10, 2020. It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords. The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.

The IP addresses span a range of provinces and countries, in some of which marijuana is not legal.

GrowDiaries replied to the incident alert but did not respond to my request for comment as of time of writing.

Timeline of the exposure

No alt text provided for this image

GrowDiaries exposed two identical unsecured Kibana instances. Here’s what I know happened:

  • September 22, 2020: The database was indexed by search engine BinaryEdge
  • October 10, 2020: I discovered the database and immediately alerted GrowDiaries.
  • October 12, 2020: GrowDiaries responded to me asking for additional details.
  • October 15, 2020: The data was secured.

I do not know if any other third parties accessed the data while it was exposed, but it seems likely.

What data was exposed?

The database included two large indexes of user data.

No alt text provided for this image

The first, called “users”, consisted of 1,427,347 records containing:

  • Email address
  • IP address
  • Username

The second, called “reports”, included about two million records:

  • User posts including grow updates and questions and answers
  • MD5-hashed account password
  • Image URLs
  • Post timestamps
  • Email address
  • Username

The passwords are of particular concern. They were hashed (encrypted) with MD5, a deprecated algorithm with a number of known security flaws. If an attacker managed to access the data, they could easily crack the passwords.

No payment data was exposed.

Dangers of exposed data

Users of GrowDiaries could be at risk of a number of possible attacks and threats from this exposure.

The passwords, once cracked, could be used in credential stuffing attacks on users’ other accounts. Attackers will use an automated bot to try the same email and password combinations on other sites and apps. To avoid credential stuffing attacks, always use a unique password for every account.

Many users appear to be from locations where growing and using marijuana is not legal. They could face legal repercussions or possibly extortion if their growing activities come to light.

Lastly, GrowDiaries users should be on the lookout for targeted phishing attacks. Watch out for emails and messages from scammers posing as GrowDiaries or a related company. Never click on links or attachments in unsolicited emails and always verify the sender’s identity before responding.


No alt text provided for this image

GrowDiaries lets users track their cannabis growing progress and share updates with fellow users. Users can compare their grow to other users and previous cycles, get advice from fellow cultivators, and win prizes. A diary can include photos, text, and a variety of factors that go into cannabis cultivation. Typically, users post updates about their plants about once per week.

Although we aren’t certain how many users GrowDiaries has, it seems likely that all users were affected by this data incident. The GrowDiaries website claims that starting a diary is “100% anonymous and secure,” but this incident certainly suggests otherwise.

As far as I know, GrowDiaries has not been involved in any previous data incidents.

Why we reported this data incident

Our team works to scan the web for accessible databases that contain personal information. When we come across exposed data, we investigate the nature of the information as well as who is responsible for it. We also determine who might be affected as a result of the exposure and the potential impact.

Once we discover who the information belongs to, we immediately notify them of the leak so that the data can be secured. Finally, we report the data exposure in an article like this one to help inform readers about this particular exposure and raise awareness regarding data leaks in general. Our ultimate goal is to minimize the potential damage caused as a result of the exposure.

Let’s educate ourselves!

As we see a never-ending loop of these incidents, I have decided to offer a live educational session (webinar or offline workshop) for raising cyber security awareness within your organization, to prevent potential issues in the future. I use real world examples and promote that data security is important to every employee and at every level inside the organization.

It can be an online webinar session (estimated 1h long), with Q&A session or an offline meeting in your offices, live interaction with your team (workshop included).

Proposed content includes:

  • Description of tools and techniques we use to identify vulnerabilities, PII and sensitive data online: no hacking, just google-it.
  • How to ensure your data / your company’s data is not exposed to the public internet, security tips from professionals
  • Recommendations and best practice on main noSQL databases configurations and maintenance (MongoDB, CouchDB, Elasticsearch)
  • Case studies: analyzing related data appearance online
  • Live search for data and master class

Let’s educate your team!

Additional services include classic security audits (with OSINT monitoring), such as black/graybox penetration tests and vulnerability scans. Our team (based in Hamburg and Kyiv) will assess the overall network and cloud security including the network perimeter, devices residing on network segments and the Internet for potential vulnerabilities that could expose critical organizational systems and applications; customer information; organization information, and financial assets.


Primary Sponsor

Karma Koala Podcast

Top Marijuana Blog