MJ Freeway’s Source Code Stolen & Published Online

By Aaron G. Biros
9 Comments

A Reddit thread and gitlab.com had the stolen code published online briefly before it was taken down.

Portions of MJ Freeway’s source code were reportedly stolen and posted in Reddit threads as well as on Gitlab.com, a source code hosting website. On June 15th, the account “MJFreeway Open Source” was made on Gitlab.com, and portions of the source code were posted, but have since been taken down. Source code is essentially a list of commands of a program, the basis for making improvements and modifications to a software system. Source code can sometimes contain sensitive information. To be clear, MJ Freeway does not use an open source model; their source code is the basis of their traceability software. Open source is a tool that fosters public collaboration on software development, helping identify weaknesses or areas for improvement.

When asked to comment on the matter, MJ Freeway issued the following statement:

“Last week we discovered that someone had obtained an outdated portion of MJ Freeway’s source code. This incident has absolutely no impact on our systems or MJ Freeway services, and client and patient data is not at risk. While this theft poses no risk to our clients, patients, or business operations, we take any incident involving unauthorized access very seriously and have reported it to the Colorado Bureau of Investigation.

Unfortunately, it has come to our attention that our competitors are spreading inaccurate information about the incident, including baseless claims about SSL info and the potential for client data being compromised – neither of which is true. We encourage our customers to contact us directly with any questions they may have.

We follow or exceed all relevant industry security standards and are confident that we have the most robust security measures in our industry. None of our peers come close. However, we live in a world of determined cyber-criminals and we operate in a competitive environment. Success and size makes a company a bigger target for malicious actors, as other large companies also know. We will continue to investigate and take follow-up action as we learn more about this incident.”

On Sunday, June 18th, a user by the name of ‘techdudes420’ posted in the subreddit, r/weedbiz, a thread titled “MJFreeway goes open source.” The link for that post was the Gitlab.com page where MJ Freeway’s source code was published briefly. The same user then published a second reddit post the following day with the same link to the stolen code, but this time in the r/COents, a subreddit for the Colorado cannabis community. MJ Freeway is based in Denver. That post claimed the user found the stolen source code with a quick search and that the user was banned because of that. The moderator of the thread chimed in, saying they banned the user for posting the stolen code. “We received a takedown request from the software owner stating the code had been stolen and released without permission,” says the moderator. “After investigating the matter I reached the same conclusion and removed the thread.” The moderator then updated the comment shortly after: “Edit: As for OP [original poster] ‘finding’ the code, if that were true I don’t know why he or she would have created a new Reddit account just to post the link.”

In addition to their own cybersecurity analysis, a spokeswoman for MJ Freeway says they will be performing a third party audit and analysis this week as well. When that information becomes available, we will update this article.


Update: Multiple sources have reported that portions of MJ Freeway’s source code are still available online on torrent sites like PirateBay.

Comments

  1. James McCann

    A quick google search looks like there’s already a torrent out there on the pirate bay…not posting the link for obvious reasons……but it doesn’t look like they are putting the genie back in the bottle at this point.

  2. Heather

    James, pandoras box is definitely open now.. its also on extratorrent and torrentz. Not sure how freeway can straightfaced lie that the code is “outdated” when there are things from May

  3. Ed

    Mj freeway shouldnt even be in business. They lost data for all of their clients January of this year, claiming cyber attack. They were running private, non secured servers with no redundancy, even though they claimed they did. We lost 3 years worth of sensitive, and state required business data. We still dont have it all back. This happened to hundreds if dispensaries using their software. It is obvious that they are using inferior systems, and are unqualified to host such sensitive data. I’m still waiting for the class action suit.

  4. Jane

    I AM SO VERY GLAD THEY TOOK THIS SERIOUSLY. THATS SARCASM…BY THE WAY! I GOT THIS EMAIL YESTERDAY (ALONG WITH ALOT OF OTHER NEVADA CLINICS BY THE WAY)……SOME OF OUR CUSTOMERS ARE THERE AND WE DONT EVEN USE MJFREEWAY!!!!!!!!!!!!!! ALREADY CONTACTED OUR ATTORNEY…..IF THERE IS A CLASS ACTION BETTER SIGN ME UP TWICE!!!

    HERE IS THE EMAIL THAT SOME *SSHOLES SENT US:

    for sale: nevada.leafdatasystems.com customers tables

    greetings we have great offer for you! thanks to site for post all code, we have obtain all data. you will find 2000 records of sample attached for your pleasure and trust. In total there is 56 thousands patient customers records to be paid for by you. we also has all records from sql table other than customers — strains, sales, plants, batches, areas and many more to list.

    we think customers most value as u will grow you’re customers faster by reach out to already customers at other places. as you see also, we work with other group to add more better data. they help us clean, make data pretty and add more datas that are important. also….if u want user passwords to site……we have this too and if u want this we wont tell..we promise 🙂 🙂 🙂

    all datas freshly download today 26.06.2017.

    if u are interest plz write back and we work together for deal. we accept only bitcoin!!

    1. J

      I believe MJ Freeway runs the state compliance platform, so they will have all of your patient and sales data regardless. We got letters from the State saying they would pay for identity protection after this ‘hack’ or whatever it was this time.

  5. Distru

    This is unfortunate that this happened. We saw this happen earlier with some leaked github uploads, to which MJFreeway responded that it was outdated code being posted; even though there was a re-post the next day which showed Github commits by real MJFreeway employees within the past few weeks.

    We take security at Distru rather seriously. We enforce HTTPS for all our API calls, login information is encrypted end-to-end, ISO compliant redundant systems have been set and live backups are created. Our system has been protected against SQLi attacks, and currently, a more advanced Data Loss Prevention is in the works.

    If you are interested in distribution software, please contact us at hello@distru.com and we’d be happy to help. If you’re interested in POS, check out http://treez.io.

    1. Reddit Reader

      and now another torrent was posted just days ago “”MJFreeway Recovery Data All Customers June 2017″”

      everything is fine……………ummmmmmm…..really?

Leave a Reply

Your email address will not be published. Required fields are marked *