One million consumer records from GrowDiaries have been found online

Published Nov 17, 2020 10:00 a.m. ET
iStock / Urupong

GrowDiaries, an online community of cannabis growers, may have exposed over 3.4 million of its users personal information. Passwords and private information on the online journaling platform could have been revealed. This concerning information has come to light thanks to Bob Diachenko, an independent cybersecurity consultant.

What did he discover?

Diachenko recently discovered an unprotected database. Interestingly after she alerted the company, the sight was secured immediately. The cannabis website database contained 1.4 million records with IP addresses and email addresses. Included in the find were hashed account passwords and other posts. Many of the hashed accounts were from users who are based in countries where cannabis remains illegal.

Many users could face repercussions or even extortion if what they were growing was to come to light. Passwords protected well over two million posts. However, GrowDiaries used MD5 to hash out the passwords. MD5 is very easily compromised, which leaves the members extremely vulnerable to malicious attacks. There is a high likelihood that some other third parties have already accessed the exposed data, according to Dyachenko’s discoveries.

Company response

GrowDiaries clarified in response to Diachenko that the company was not based in the United States. The site has over 30,000 registered users, and the company, GrowDiares, has never acknowledged the incident. Despite the fact that they replied to the alert.

The job

Diachenko works with a team that scans the web for databases that are accessible and contain personal information. When he and his colleagues discover who the information belongs to, they are immediately notified to secure the data. His team reports incidents like this to promote awareness of data leaks. The ultimate goal is to help ensure potential damage caused by a breach is kept to a minimum.


He likes to warn people to keep an eye out for messages or emails from scammers who pose as GrowDiaries employees. He recommends that users need to update passwords and remain vigilant about targeted phishing attacks. As identified by Experian, a consumer credit reporting company, marijuana websites are prime targets for cyberattacks.

What is GrowDiaries

This online community composed of marijuana growing enthusiasts from around the world can share tricks and tips accompanied by pictures of how participant's plants are doing. GrowDiaries has not responded to the breach, but the site is assuring users that their personal data is protected. The site ensures that they do not store or share any personal information. The site also claims that all metadata is erased. For added anonymity and security, the company is now suggesting that users use the Tor browser.

Final thoughts

The market for stolen data is growing, according to recently published headlines. Recently 34 million user records appeared on the underground market. Reportedly the records were collected from seventeen separate data breaches. The cannabis space is not the only industry that is experiencing trouble with keeping data secure. Home Depot recently acknowledged that it had exposed email, addresses, and other details. Business large and small in the cannabis space and other markets must find ways to push back against the cyber security threats. A critical move is needed where users take charge of protecting their data whenever possible.

Security tips and tricks to keep your outdoor cannabis plants safe


Related posts