HomeTech PlusTECH & OTHER NEWSConfiguration snafu exposes passwords for two million marijuana growers

Configuration snafu exposes passwords for two million marijuana growers

growdiaries.png

Screengrab of the GrowDiaries website

GrowDiaries, an online community where marijuana growers can blog about their plants and interact with other farmers, has suffered a security breach in September this year.

The breach occurred after the company left two Kibana apps exposed on the internet without administrative passwords.

Kibana apps are normally used by a company’s IT and development staff, as the app allows programmers to manage Elasticsearch databases via a simple web-based visual interface.

Due to its native features, securing Kibana apps is just as important as securing the databases themselves.

But in a report published today on LinkedIn, Bob Diachenko, a security researcher known for discovering and reporting unsecured databases, said GrowDiaries failed to secure two of its Kibana apps, which appear to have been left exposed online without a password since September 22, 2020.

Diachenko says these two Kibana apps granted attackers access to two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points.

The first exposed usernames, email addresses, and IP addresses, while the second database also exposed user articles posted on the GrowDiaries site and users’ account passwords.

While the passwords were stored in a hashed format, Diachenko said the format was MD5, a hashing function known to be insecure and crackable (allowing threat actors to determine the cleartext version of each password).

growdiaries-password.jpggrowdiaries-password.jpg
Image: Bob Diachenko

Diachenko said he reported the exposed Kibana apps to GrowDiaries on October 10, with the company securing its infrastructure five days later.

The Ukrainian security researcher said that while GrowDiaries did intervene to secure its server, the company refused other communications, so he was unable to determine if someone else accessed the company’s Elasticsearch databases to download user data.

However, Diachenko said that something like this happening was “likely” as he is certainly not the only one looking for accidentally exposed databases.

A GrowDiaries spokesperson did not return an additional request for comment from ZDNet before this article’s publication.

GrowDiaries users are advised to change their passwords, just in case the data made it into someone else’s hands. With the passwords stored in MD5 format, their old passwords are not secure, and accounts are in danger of getting hijacked.

By ZDNet Source Link

Technology For You
Technology For Youhttps://www.technologyforyou.org
Technology For You - One of the Leading Online TECHNOLOGY NEWS Media providing the Latest & Real-time news on Technology, Cyber Security, Smartphones/Gadgets, Apps, Startups, Careers, Tech Skills, Web Updates, Tech Industry News, Product Reviews and TechKnowledge...etc. Technology For You has always brought technology to the doorstep of the Industry through its exclusive content, updates, and expertise from industry leaders through its Online Tech News Website. Technology For You Provides Advertisers with a strong Digital Platform to reach lakhs of people in India as well as abroad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

CYBER SECURITY NEWS

TECH NEWS

TOP NEWS