Share this article on:
The data of 2.5 million workers in the cannabis industry have been exposed after a tech company used by dispensaries leaked their information.
HR platform Würk, which is based in Colorado, is used by the cannabis industry for workforce management, industry compliance, and payroll data management.
Würk suffered a leak after it misconfigured a MongoDB database, leaving its data easily accessible to the public without a password.
Data included the dates of birth, employment details such as start and finish dates, addresses and payrolls of the employees of cannabis dispensaries.
Encrypted social security numbers were also leaked.
Due to the sensitivity of the data leaked, the incident could present a major threat to both the staff and the organisation going forward.
“This breach could enable threat actors to engage in identity theft, financial fraud, or targeted phishing attacks, posing serious risks to the affected employees’ personal and financial wellbeing,” said the cyber security researcher responsible for identifying the leak, Bob Diachenko.
It is currently unknown whether any of the leaked data has been used maliciously by threat actors.
As Diachenko has pointed out in the past, this is not the first time the cannabis industry has been dealt a cyber blow.
In late 2020, cannabis grow journal community site GrowDiaries mistakenly leaked over 3.4 million records belonging to its users.
“I discovered the unprotected database on October 10, 2020. It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords,” wrote Diachenko.
“The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain text.
“The IP addresses span a range of provinces and countries, in some of which marijuana is not legal.
“GrowDiaries replied to the incident alert but did not respond to my request for comment as of time of writing.”
GrowDiaries never disclosed the breach officially but responded to the initial report.
Data in the first 1,427,347 records titled “users” includes user email addresses, usernames and IP addresses.
The second set, which contained roughly 2 million records and was titled “reports”, included usernames, email addresses, post timestamps, user posts, including questions, answers and cannabis growth updates, image URLs and MD5-hashed account passwords, which Diachenko said can be easily cracked.