Photo IDs, phone numbers and home addresses were among records found in a trove of data left online without password protection late last year, according to experts from vpnMentor. The team said the exposed file was stuffed with the details of at least 30,000 people.
Data on 30,000 Cannabis Users Exposed in Cloud Leak
The leaky cloud database was first discovered on December 24 last year, and finally closed on January 14 after being disclosed to the software company. In total, it had allegedly included more than 85,000 files.
"The leaked bucket contained so much data that it wasn't possible for us to examine all the records individually," the cyber investigators noted. "Instead, we looked through a handful of random entries to understand what types of data were exposed in the breach overall.
In the USA, a software company that developedan app for managing marijuana dispensary customer data, left an S3 bucket opento the world, leakingdata on 30,000 medical and recreational marijuana users.
An unsecured Amazon S3 bucket owned by cannabis retailer THSuite was found leaking the data of more than 30,000 individuals. It was discovered by a vpnMentor research team during a large-scale web mapping project, exposed 85,000 files that included records with sensitive personally identifiable information (PII).
Out of the estimated 85,000 files that were leaked, over 30,000 were records with sensitive personally identifiable information (PII) that included scanned government and company IDs, medical/state ID numbers with expiration dates, and personal signatures. The exposed information also included dispensary inventory and sales information, employee names, and monthly sales reports.
Over 85,000 files were leaked in this data breach, including over 30,000 records with sensitive PII. The leak also included scanned government and company IDs stored in an Amazon S3 bucket through the Amazon Simple Storage Service.
The leaked bucket contained so much data that it wasn't possible for us to examine all the records individually. Instead, we looked through a handful of random entries to understand what types of data were exposed in the breach overall.
The THSuite data breach exposed the dispensary's monthly sales reports for both cannabis and non-cannabis products, including gross sales, discounts, taxes, net sales, and totals for each payment type.
We didn't find any records with specific information about Colorado Grow Company's customers, or any other recreational marijuana users. However, since we weren't able to explore all the leaked data in detail, we can't be sure these records don't exist.
As a result of this data breach, sensitive personal information was exposed for medical marijuana patients, and possibly for recreational marijuana users as well. This raises some serious privacy concerns.
We recently found a large data breach that exposed the browsing history of mobile internet users in South Africa. We also discovered over 1TB of data leaked by Chinese online retailer LightInTheBox.
Personal records, including scans of ID cards and purchase details, for more than 30,000 people were exposed to the public internet from this unsecured cloud silo, we're told. In addition to full names and pictures of customer ID cards, the 85,000 file collection is said to include email and mailing address, phone numbers, dates of birth, and the maximum amount of cannabis an individual is allowed to purchase. All available to download, unencrypted, if you knew where to look.
July 7, 2018: Hackers launched a Fourth of July attack on the popular social media app Timehop. The security breach compromised the names and emails of all its 21 million users, 4.7 million of whom also had a phone number exposed. Timehop said that it has taken steps to include multifactor authentication to improve their cloud security.
July 9, 2018: Another major fitness tracking app has been breached, this time revealing highly sensitive personal and geographical information of military and counterintelligence personnel. The leak was found on the Polar Flow social platform where users share their exercise data. Beyond fitness information, the data collected includes GPS tracking information, allowing anyone in possession of it to locate and identify the often-confidential location of military bases, embassies, airfields, nuclear storage sites and intelligence agencies. This cyberthreat is clearly a serious and frightening vulnerability. Users of such fitness tracking apps should enable all available privacy settings and watch what they share in online forums.
July 20, 2018: A major tax preparer for small and mid-sized businesses, cloud-based human resources company ComplyRight experienced a data breach affecting 662,000 people. The breach may have exposed the names, addresses, phone numbers, email addresses and Social Security numbers of those impacted.
August 23, 2018: The personal data of 93,000 users of the popular babysitting booking app, Sitter, was temporarily exposed in an unsecured database. The information contained phone numbers, addresses, transaction details, phone contacts, partial credit card numbers and encrypted account passwords.
September 4, 2018: Millions of sensitive records have been leaked online by mSpy for the second time in three years. The mobile spyware maker that allows customers to spy on the cell phone usage of their kids and partners left passwords, call logs, text messages, contacts, notes and location data unprotected on an open database. Every customer who logged into the site or purchased a mSpy license within the past six months was exposed.
October 8, 2018: A Google security bug discovered in March 2018 became public on October 8, 2018. Google+ user profile data sat unprotected dating back to 2015 and could be accessed by third-party developers. The information of 496,951 Google+ users, including names, email addresses, dates of birth, gender, photos, location, occupation and relationship status were among the data exposed.
October 14, 2018: Pentagon officials have announced a data breach in which hackers accessed a system that maintained employee travel records. At least 30,000 employees were affected in this latest Department of Defense breach. Personal information and credit card numbers were among the data exposed.
November 16, 2018: A provider of cloud-based communication services, San Diego-based Vovox exposed at least 26 million text messages on an unprotected server. Security researchers discovered the vulnerability, which allowed them to see, in real time, millions of SMS messages being transmitted. These included sensitive information like password reset links, two factor authentication codes and other data.
December 14, 2018: In yet another data privacy incident, Facebook announced a security bug that allowed third-party app developers to view the private photos of 6.8 million users. Private photos, Facebook Stories and Marketplace photos were exposed over the course of 12 days in September.
Open, publicly viewable S3 buckets are not a flaw of AWS, they are the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private so user education plays an important role in surmounting cloud security issues. But there are also multiple tools that can automate the policing of cloud use, and help educate users as they go. These tools are generally pretty straightforward and make use of predefined rules to lock down data in the cloud. The solution on unsecured AWS buckets really is more straightforward than the initial problem appears.
Three years before the incident, the company that created the database was purchased by Thomson Reuters for $530 million. After the leak, Reuters claimed that the database had been exposed by a third-party and confirmed the elimination of the cybersecurity vulnerability.
In July 2016, Chris Vickery discovered an exposed database containing information belonging to the Oklahoma Department of Public Safety (DPS). As happened with most of the data leaks previously discovered by Vickery, the database could be accessed without login details and contained an alarming amount of information.
It seems that the sensitive user data was exposed for only one day. The question then arises: How long should sensitive data be exposed and unsecured before it is called a data leak? In line with what some US courts have ruled, a breach occurs the very moment that data is put in a publicly accessible place.
If the leaked data got in the wrong hands, the users of the dating service could have been blackmailed and extorted. Given the poor cybersecurity practices of such services, you might want to reconsider their use.
A combination of patient, customer, employee, and business-related data was exposed. This included personally identifiable information (PII) like full names, birth dates, medical ID numbers, and contact information like phone numbers, addresses, and email. Also exposed was information about the cannabis purchased and used, along with sales information like price, quantity purchased, and full receipts.
An open database exposed 900 million user records for a secret sharing app, making anonymous user activity fully visible. No usernames were included in the breached records, but nicknames, ethnicities, genders, and stated information like age, hometown, and sexual preference, were all part of the leak. Location metadata from each post was also included in the breached database as coordinates, revealing addresses to homes, schools, and offices.
Even as a newly legitimized industry, cannabis organizations have already experienced high-impact data and security breaches. In early 2020, a database breach that impacted almost 30,000 people connected to the marijuana industry resulting from an unsecured Amazon S3 data storage bucket was reported. The data breach included scanned versions of government-issued ID cards, purchase dates, customer history, and purchase quantities. 2ff7e9595c