cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Budding data leak leaves cannabis workers blazed

The data of 2.5 million workers in the cannabis industry have been exposed after a tech company used by dispensaries leaked their information.

user icon Daniel Croft
Mon, 12 Feb 2024
Budding data leak leaves cannabis workers blazed
expand image

HR platform Würk, which is based in Colorado, is used by the cannabis industry for workforce management, industry compliance, and payroll data management.

Würk suffered a leak after it misconfigured a MongoDB database, leaving its data easily accessible to the public without a password.

Data included the dates of birth, employment details such as start and finish dates, addresses and payrolls of the employees of cannabis dispensaries.


Encrypted social security numbers were also leaked.

Due to the sensitivity of the data leaked, the incident could present a major threat to both the staff and the organisation going forward.

“This breach could enable threat actors to engage in identity theft, financial fraud, or targeted phishing attacks, posing serious risks to the affected employees’ personal and financial wellbeing,” said the cyber security researcher responsible for identifying the leak, Bob Diachenko.

It is currently unknown whether any of the leaked data has been used maliciously by threat actors.

As Diachenko has pointed out in the past, this is not the first time the cannabis industry has been dealt a cyber blow.

In late 2020, cannabis grow journal community site GrowDiaries mistakenly leaked over 3.4 million records belonging to its users.

“I discovered the unprotected database on October 10, 2020. It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords,” wrote Diachenko.

“The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain text.

“The IP addresses span a range of provinces and countries, in some of which marijuana is not legal.

“GrowDiaries replied to the incident alert but did not respond to my request for comment as of time of writing.”

GrowDiaries never disclosed the breach officially but responded to the initial report.

Data in the first 1,427,347 records titled “users” includes user email addresses, usernames and IP addresses.

The second set, which contained roughly 2 million records and was titled “reports”, included usernames, email addresses, post timestamps, user posts, including questions, answers and cannabis growth updates, image URLs and MD5-hashed account passwords, which Diachenko said can be easily cracked.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.