A misconfigured MongoDB database with no authentication exposed over 47 GB of sensitive customer and driver data for the Three Trees delivery service. The publicly accessible database contained unauthenticated links to cloud-stored ID documents, including selfies, medical details, and driver's license photos. While the database was secured by April 8, 2026, the exposure creates significant privacy and identity fraud risks, potentially violating California privacy laws.
Data Security , Privacy Unsecured database exposes Three Trees customer, delivery driver data April 23, 2026 Share By SC Staff (Adobe Stock) California-based marijuana delivery service Three Trees had data from at least 40,000 individuals leaked as a result of a misconfigured MongoDB database , Cybernews reports. Analysis of the over 47 GB of data spilled online revealed customer data, including names, delivery addresses, phone numbers, birthdates, selfie links, liveness selfies, ID cards, medical details, medical marijuana ID cards, as well as driver information, including names, driver's license photos, addresses, and contact details, according to Cybernews researchers. Although the corporation did not respond to the team's note when the leak was found in late March, the exposed data had been secured by April 8. Whether threat actors have accessed or used the compromised data is unknown. "Attackers could attempt to use leaked info to take out unauthorized loans or create other financial accounts in order to bypass KYC checks, with these accounts later being used for illegal activities," the researchers warned. Three Trees may face legal issues under Californias strict privacy laws after researchers found that its publicly accessible MongoDB included unauthenticated links to cloud-stored ID document photos. SC Staff Related Government Regulations House GOP eyes nationwide rules on data collection SC Staff April 23, 2026 CyberScoop reports that House Republicans have introduced a draft national digital privacy bill aimed at establishing business and consumer data protections against exploitation for advertising and other purposes. Data Security OpenAI’s Chronicle mirrors Microsoft Recall’s privacy concerns SC Staff April 23, 2026 Chronicle functions by taking screenshots of the user's screen and feeding them to OpenAI's Codex agent to augment its memory with contextual data. Data Security UK ransomware attacks shift to targeted methods, small businesses most affected SC Staff April 23, 2026 Security researchers at SonicWall reported that ransomware actors have moved away from broad, untargeted attacks to more human-operated, "big game hunting" methodologies. Related Events Cybercast Beyond the Hype: The Cybersecurity Trends CISOs are Keeping an Eye on in 2026 On-Demand Event Cybercast Beyond the data perimeter: Why next-generation DSPM is the foundation for modern data security On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Authenticity Biometrics Bit Block Cipher Cryptographic Algorithm or Hash Cryptographic Hash Functions Data Loss Prevention (DLP) Data Warehousing Decryption Diffie-Hellman You can skip this ad in 5 seconds