The target: GrowDiaries, an online community for marijuana growers.
The take: 2 million user records including: usernames, email address, IP addresses, user posted articles, and user account passwords.
The attack vector: The breach occurred because of a credential management and best practice failure . The site failed to secure its database management application, Kibana, which was left exposed online with no password protection, allowing anyone with an internet connection to access the site. Furthermore, passwords stored in one of the databased were encrypted with weak format known as MD5, which is insecure and can be easily cracked.
Management applications which grant access to user data should always be secured with commensurate levels of security protection. In addition to securing all access points, protection of data ‘at rest’ should include rigorous controls around password tables including hashing, salting, and strong encryption to ensure that if a breach does occur, the damage to clients is mitigated as much as possible.