A website that streams movies for marijuana enthusiasts and offers a platform for stoners to chat while watching videos left over 10 million messages of more than 44,000 users exposed online for anyone to see.
"Its [sic] just shit having to buy off sketchy people in the street etc," one user wrote in a message, according to Chris Vickery, the security researcher who fund the database.
"Because she buys weed from me," another one said.
The data was left exposed in a misconfigured MongoDB database by The Trees Network, a site that streams time-synchronized movies 24/7, offering "cannabis enthusiasts" a chance to chat while they enjoy a spliff. On Wednesday morning, for example, the site showed Mad Max, Men In Black, and Shrek.
The site advises users not to discuss "where or how to purchase cannabis in the public chat," but according to a sample of chat messages Vickery sent me, discussions of potentially illegal activity was common.
Vickery, who works at MacKeeper, found the data earlier this month, as he explained in a blog post published on Wednesday. He immediately reported the issue to the site, alarmed that it was very easy to track down users since anyone could see what the users said as well as their corresponding IP addresses.
"The potential for self-incrimination is massive here. I'm sure the DEA would love to data mine this breach," Vickery told Motherboard.
"The potential for self-incrimination is massive here. I'm sure the DEA would love to data mine this breach."
"10 for the gram in Utah. The more you buy the cheaper it is here," one user wrote.
After Vickery reported the issue on the online chat, an administrator quickly fixed it, according to the researcher. A Trees Network spokesperson confirmed that for "a brief period" their database was "publicly accessible," but downplayed the incident saying the whole point of the site is for users to publicly discuss marijuana related issues.
The database also contained passwords, but they were encrypted with bcrypt, a strong hashing function that's believed to be harder, though not impossible, to crack compared to other types of encryption.
This story has been updated to include The Trees Networks' comments.