Leafly Cannabis Website Leaked User Info via Exposed Database

Cannabis information platform Leafly sent notification emails to some of its customers letting them know that some of their information was exposed in a data leak incident.

Leafly is "the world’s largest cannabis information resource" as the company says in a press release released four days ago and it "helps people discover, find, and buy cannabis and empowers cannabis businesses to attract and retain loyal customers through advertising and technology services," 

"With 10 million monthly active users and 1.4 million user-generated strain, product, and dispensary reviews, Leafly has the largest and fastest-growing audience in the cannabis industry," also says a press release from June 2019.

Users' credit card information was not exposed

Leafly discovered on September 30 that customer information stored within user records from July 2, 2016, was exposed by a secondary database.

"On September 30, we teamed that a set of Leafly user records dated July 2, 2016 held in a secondary Leafly database was disclosed without permission. Your email address was in that file," says the alert delivered to impacted customers.

Leafly added that the company does not collect or store national identification numbers or credit card information, and that there is no evidence that its production website was also accessed without authorization in the security incident.

For some users [1, 2, 3, 4, 5], the database leaked emails, usernames, and encrypted passwords, while, for others [1, 2], it also included extra info such as names, ages, gender, location, and mobile numbers.

"However, it is a good idea to ensure that you use a unique password on Leafly and other services you use. If you share passwords across services and haven't updated them recently, and you haven't reset your Leafly password, we recommend you do SO DOW," states the notification letter.

The company reached out to all impacted customers, removed the exposed database, hired a forensic security auditor to investigate the incident and evaluate the situation, and it is in the process of reviewing data protection practices and procedures.

"Please accept our sincere apology for any concern this has caused. If you have any questions, please reach out to our customer support team at support@leafly.com," states Leafly.

The data leak notification letters sent by Leafly do not provide information on the number of impacted users. 

BleepingComputer has reached out to Leafly for more info but had not heard back at the time of this publication. This article will be updated when a response is received.