[BreachExchange] Configuration snafu exposes passwords for two million marijuana growers

[Destry Winant]

https://www.zdnet.com/index.php/category/10250/4/index.php/article/configuration-snafu-exposes-passwords-for-two-million-marijuana-growers/

GrowDiaries, an online community where marijuana growers can blog
about their plants and interact with other farmers, has suffered a
security breach in September this year.

The breach occurred after the company left two Kibana apps exposed on
the internet without administrative passwords.

Kibana apps are normally used by a company's IT and development staff,
as the app allows programmers to manage Elasticsearch databases via a
simple web-based visual interface.

Due to its native features, securing Kibana apps is just as important
as securing the databases themselves.

But in a report published today on LinkedIn, Bob Diachenko, a security
researcher known for discovering and reporting unsecured databases,
said GrowDiaries failed to secure two of its Kibana apps, which appear
to have been left exposed online without a password since September
22, 2020.

Diachenko says these two Kibana apps granted attackers access to two
sets of Elasticsearch databases, with one storing 1.4 million user
records and the second holding more than two million user data points.

The first exposed usernames, email addresses, and IP addresses, while
the second database also exposed user articles posted on the
GrowDiaries site and users' account passwords.

While the passwords were stored in a hashed format, Diachenko said the
format was MD5, a hashing function known to be insecure and crackable
(allowing threat actors to determine the cleartext version of each
password).

Image: Bob Diachenko

Diachenko said he reported the exposed Kibana apps to GrowDiaries on
October 10, with the company securing its infrastructure five days
later.

The Ukrainian security researcher said that while GrowDiaries did
intervene to secure its server, the company refused other
communications, so he was unable to determine if someone else accessed
the company's Elasticsearch databases to download user data.

However, Diachenko said that something like this happening was
"likely" as he is certainly not the only one looking for accidentally
exposed databases.

A GrowDiaries spokesperson did not return an additional request for
comment from ZDNet before this article's publication.

GrowDiaries users are advised to change their passwords, just in case
the data made it into someone else's hands. With the passwords stored
in MD5 format, their old passwords are not secure, and accounts are in
danger of getting hijacked.