Unsecured database exposes Three Trees customer, delivery driver data

California-based marijuana delivery service Three Trees had data from at least 40,000 individuals leaked as a result of a misconfigured MongoDB database, Cybernews reports.

Analysis of the over 47 GB of data spilled online revealed customer data, including names, delivery addresses, phone numbers, birthdates, selfie links, liveness selfies, ID cards, medical details, medical marijuana ID cards, as well as driver information, including names, driver's license photos, addresses, and contact details, according to Cybernews researchers. Although the corporation did not respond to the team's note when the leak was found in late March, the exposed data had been secured by April 8. Whether threat actors have accessed or used the compromised data is unknown.

"Attackers could attempt to use leaked info to take out unauthorized loans or create other financial accounts in order to bypass KYC checks, with these accounts later being used for illegal activities," the researchers warned. Three Trees may face legal issues under Californias strict privacy laws after researchers found that its publicly accessible MongoDB included unauthenticated links to cloud-stored ID document photos.