GrowDiaries exposes user records and passwords Special

Posted Nov 4, 2020 by Tim Sandle
GrowDiaries, a website for cannabis growers to write and share about their plants, exposed 3.4 million user records to the web without a password. This represents the latest data breach.
Medical research has shown cannabis oil can help ease chronic pain and conditions such as multiple s...
Medical research has shown cannabis oil can help ease chronic pain and conditions such as multiple sclerosis and epilepsy
The database belonging to GrowDiaries contained 1.4 million records with email and IP addresses, as well as 2 million records consisting of user posts and hashed accounts passwords. Although the database was secured about three weeks after it was indexed, it's possible that unauthorized users accessed the information.
Looking at the issue for Digital Journal is Rusty Carter, CPO of LogRhythm. Unsecured databases exposed on the public web are often specifically targeted or hackers use automated attacks that seek out vulnerable data servers.
Carter says: “This is yet another incident where poor IT hygiene, like leaving a public cloud insecure, could result in a data breach. Businesses are increasingly moving information to the cloud for cost efficiency, increased flexibility, and improved accessibility; however, it is important to understand the gravity of what it means to move this type of information to the cloud and be prepared to use everything at your disposal to protect it"
In terms of the implications, Carter says: "GrowDiaries users are now vulnerable to a number of attacks and threats that could potentially reveal information, such as their email and IP address, username, and account passwords. This raises the risk of credential stuffing, which occurs when attackers leverage stolen passwords from one website for use across multiple different places since many people tend to reuse their credentials."
He looks at the reasons for these types of issues arising, noting: "Organizations collecting or storing private user information must ensure that data protection is of the utmost priority, and users must avoid reusing passwords and enable two-factor authentication when possible."
With the specific case, Carter notes: "While GrowDiaries secured the data after being notified, there are legal and financial ramifications to consider. For example, the California Consumer Privacy Act (CCPA) permits California residents to seek damages of up to $750 when their personal information is exposed in a data breach. California voters will decide today on whether or not to expand the current CCPA; this change would remove the current window of time for businesses to fix violations prior to financial penalties being issued and establish the Privacy Protection Agency to enforce consumer data privacy laws, among other key privacy-related initiatives."
In terms of a proactive response, Carter says: "Organizations should prioritize having advanced security tools in place that automate common investigation tasks and streamline remediation and response in order to halt a breach immediately and in real-time.”