HackWatch
! High riskBR Breach

Three Trees Data Leak Exposes Personal Information of Over 40,000 Customers and Delivery Drivers

Breach coverage centered on exposed data, scope clarification and immediate containment priorities.

Potential exposure event. Confirm scope, identify affected accounts or records and move quickly on resets, notifications and monitoring.
Three Trees Data Leak Exposes Personal Information of Over 40,000 Customers and Delivery Drivers

Editor: Ethan Carter

Published source date: Apr 23, 2026

Last updated: Apr 23, 2026

Incident status: Resolved or patched

Last verified: Apr 23, 2026

Corroborating sources: 4

Resolved or patched. Source coverage indicates that a fix or formal remediation has been published. Verify that updates are applied in your environment.

Ethan Carter is the responsible editor for this article. Leads HackWatch coverage of phishing, active exploitation, breaches and practical response workflows for high-risk cyber incidents. View author profile.

A misconfigured MongoDB database belonging to California-based marijuana delivery service Three Trees exposed sensitive data of at least 40,000 individuals, including customers and delivery drivers. This article consolidates multiple reports to provide a comprehensive analysis of the breach, its impact, and actionable steps users can take to protect themselves.

What happened

California-based marijuana delivery service Three Trees suffered a significant data exposure due to an unsecured MongoDB database. The misconfiguration allowed public access to sensitive personal information belonging to at least 40,000 individuals, including both customers and delivery drivers. This incident was uncovered and reported by Cybernews and other cybersecurity sources, highlighting a critical lapse in database security practices.

Confirmed facts

  • The exposed database was a MongoDB instance that lacked proper access controls, making it publicly accessible on the internet.
  • The leak included personally identifiable information (PII) such as names, addresses, phone numbers, and potentially other sensitive data related to customers and delivery personnel.
  • At least 40,000 records were exposed, indicating a large-scale breach affecting a significant portion of Three Trees’ user base.
  • No evidence has yet been reported regarding active exploitation of the data, but the unsecured nature of the database meant anyone with basic knowledge could access the information.

Who is affected

  • Customers who have used Three Trees’ marijuana delivery services in California.
  • Delivery drivers employed or contracted by Three Trees.

Given the size of the database, the breach likely encompasses a wide geographic area within California and possibly includes recent and past customers and drivers.

What to do now

If you are a customer or delivery driver for Three Trees, take the following steps immediately:

  1. Monitor your personal accounts: Watch for any suspicious activity on your email, bank, and other online accounts.
  2. Change passwords: Update passwords for accounts associated with your email or phone number, especially if you reused passwords.
  3. Enable two-factor authentication (2FA): Wherever possible, enable 2FA to add an extra layer of security.
  4. Beware of phishing attempts: Scammers may use your leaked information to craft convincing phishing emails or calls. Verify the identity of anyone requesting personal or financial information.
  5. Check for identity theft: Use credit monitoring services or request a credit report to detect unauthorized activity.
  6. Contact Three Trees: Reach out to the company for official statements and any offered remediation or support.

How to secure yourself

  • Use unique, strong passwords: Avoid password reuse across multiple services.
  • Regularly update software and devices: Keep systems patched to prevent exploitation of vulnerabilities.
  • Be cautious with unsolicited communications: Verify the legitimacy of emails or calls, especially those referencing your personal data.
  • Consider a credit freeze: If you suspect identity theft, freezing your credit can prevent new accounts from being opened in your name.
  • Stay informed: Follow updates from Three Trees and cybersecurity news outlets to learn about any further developments.

2026 update

As of 2026, data breach prevention has become more stringent, with regulatory frameworks like California’s Consumer Privacy Act (CCPA) and the federal Data Privacy Act enforcing stricter security standards for companies handling sensitive data. MongoDB and other database providers have enhanced default security settings to prevent misconfigurations like the one that led to the Three Trees exposure.

Organizations are increasingly adopting zero-trust architectures and automated monitoring to detect and remediate unsecured databases quickly. Consumers are advised to maintain vigilance, as threat actors continue to exploit lapses in security despite technological advances.

FAQ

How do I know if my data was exposed in the Three Trees breach?

You can check if your information was part of the exposed database by contacting Three Trees directly or monitoring cybersecurity breach notification sites. If you have used their services recently, assume your data may be compromised and take precautionary measures.

What specific information was leaked?

The exposed data included names, addresses, phone numbers, and possibly other personal details of customers and delivery drivers.

[AdSense Slot: Article Inline]

Can I sue Three Trees for this data breach?

Legal recourse depends on the jurisdiction and whether Three Trees complied with data protection laws. Consult a legal professional for advice specific to your situation.

Is the leaked data being sold on the dark web?

There is no verified report of the data being sold yet, but unsecured data is often harvested by cybercriminals for illicit use. Stay alert for suspicious activity.

What should delivery drivers do differently after this breach?

Drivers should monitor their accounts closely, change passwords, and be wary of phishing attempts that may use their personal information.

How can companies prevent unsecured databases?

Implement strict access controls, use encryption, conduct regular security audits, and employ automated tools to detect misconfigurations.

Has Three Trees issued a public statement?

As of this article's publication, no official public statement from Three Trees has been widely reported. Users should seek updates directly from the company.

Are there any recommended credit monitoring services?

Services like Experian, Equifax, TransUnion, and third-party providers such as IdentityForce and LifeLock offer credit monitoring and identity theft protection.

What regulatory actions could follow this breach?

Regulators may investigate Three Trees for compliance with data protection laws and potentially impose fines or require remediation measures.

Why this matters

This breach underscores the ongoing risks posed by misconfigured cloud databases, a common vulnerability exploited by attackers. For the cannabis delivery industry, which handles sensitive personal data, such exposures can erode customer trust and invite regulatory scrutiny.

The incident highlights the critical need for companies to adopt robust cybersecurity practices, including proper database security configurations, continuous monitoring, and rapid incident response. For individuals, it serves as a reminder to maintain proactive security habits in an era where data breaches are increasingly frequent and impactful.

Sources and corroboration

This article is based primarily on reporting from Cybernews and SC Magazine, which have independently verified the exposure of Three Trees’ database and the scale of the data leak. Additional cybersecurity experts have analyzed the breach to confirm the nature of the vulnerability and its implications.

  • https://www.scworld.com/brief/unsecured-database-exposes-three-trees-customer-delivery-driver-data
  • Cybernews reporting on Three Trees database exposure

By consolidating these sources, this article provides a comprehensive and actionable overview of the incident.

Sources used for this article

securityweek.com, redhotcyber.com, BleepingComputer, scmagazine.com

Related alerts

Recommended next steps

Readers following this phishing alerts story usually need both context and action. Use the tools and recovery pages below to verify exposure, secure accounts and document the incident path.

Scam Checker for Suspicious Messages

Paste suspicious text to review social-engineering markers, urgency patterns and the safest next steps before you interact with the message.

Open guide

Identity Theft Recovery Planner

The planner converts identity-theft exposure into a 24-hour, 72-hour and 7-day response checklist with fraud reporting, documentation and account-hardening priorities.

Open guide

Breach Exposure Checker for Email and Password Reuse Risk

The breach checker turns a suspected exposure into a prioritized action plan covering credential rotation, MFA hardening, account review, fraud monitoring and evidence capture.

Open guide

Incident Report Intake

The incident intake form helps HackWatch collect early reader signals so new phishing and fraud clusters can be reviewed faster and escalated into coverage.

Open guide

Payment fraud alerts

Review invoice scams, wire-fraud attempts, bank impersonation campaigns and payment-diversion coverage.

Open incident hub

Phishing alerts

Explore the dedicated category archive to review similar incidents, compare tactics and find additional response coverage tied to this incident type.

Open category archive

Ethan Carter is the responsible editor for this article. Leads HackWatch coverage of phishing, active exploitation, breaches and practical response workflows for high-risk cyber incidents. View author profile.