California weed delivery service leak exposes 40K smokers' IDs

Three Trees, a California-based marijuana products delivery service, has spilled the personal details of thousands of people. Customers and delivery drivers had their personal info, as well as selfies and IDs, left publicly accessible.

“They come for women, weed, and weather,” Dr. Dre and Kendrick Lamar once rhymed in an ode to California, titled The Recipe. However, those in California who wanted marijuana delivered to their door may discover threat actors coming for them.

On March 24th, our research team discovered an open database containing everything from names and home addresses to passport pictures and medical data. The owner of the data is Three Trees, a marijuana delivery service servicing Sacramento and the Bay Area.

“While some states have legalized the use of marijuana, there is still a stigma around its use. People who have had their information exposed may face scrutiny from other citizens or even face employer discrimination if such information ever falls into the wrong hands,” the team said.

Our researchers discovered the exposed data in late March and informed Three Trees about the issue. While the company did not acknowledge the team’s note, by April 8th, the exposed data had been secured. We have reached out to Three Trees for comment and will update the article once we receive a reply.

It’s unclear if threat actors have accessed or exploited the leaked data. However, thousands of threat actors have deployed millions of online crawlers, purposely built to scour the net for exposed databases.

What customers’ data did the Three Trees leak expose?

The leaked data was stored on an exposed MongoDB database. Companies often use MongoDB to store and process large volumes of data. The Three Trees data leak likely happened due to human error, a common mistake where databases are left exposed without proper authentication.

The volume exposed is enormous, as over 47GB of data was leaked online. While most of the exposed details include delivery-related information from the parcel to the address, some even cover chats between the buyers and the delivery app.

“If there are more of the 4g kief items left, please let me know, and I will buy them,” one Three Trees client wrote.

“I have an MMIC card, so shouldn’t have limit problems.”

The leaked information can be grouped into two categories: customer information and delivery drivers’ data. For example, the exposed data set exposed a trove of personal customer data, which includes:

Names
Delivery addresses
Dates of birth
Phone numbers
Links to selfies
ID cards
Medical information
Medical marijuana ID cards (MMIC)
Liveness selfies

At the same time, the exposed database contained information on the service’s drivers, including:

Names
Driver’s license photos
Addresses
Contact information

According to our researchers, the exposed dataset contained over 40K unique customer phone numbers and over 20K unique customer email addresses. The assumption is that at least 40K customers had their details leaked online.

Why is the Three Trees data leak dangerous?

Personal data leaks always heighten cybersecurity risks for exposed individuals. For one, leaked IDs can be used for identity theft, while leaked email addresses and phone numbers increase the risk of phishing and social engineering.

However, although Three Trees operates legally under state law, the products it sells are not federally legal in the US. Because of this, customers may face additional risks. For example, attackers can threaten to contact individuals’ employers or otherwise blackmail people whose data has been leaked online.

Similarly to exposed customers, exposed drivers face increased risks of identity theft, social engineering, and phishing. However, if exposed, this type of data could end up on the dark web, where attackers may sell it to individuals willing to stalk and rob drivers carrying marijuana.

“Since the service collected personally identifiable information together with government-issued IDs, the risk of identity theft and fraud is high,” our researchers explained.

“Attackers could attempt to use leaked info to take out unauthorized loans or create other financial accounts in order to bypass KYC checks, with these accounts later being used for illegal activities.”

Three Trees may also face issues, as California has some of the strictest privacy laws in the United States. For example, our researchers note that the publicly accessible MongoDB database contained cloud storage links for photos of ID documents, with the links accessible without authentication.