HackWatch
! High riskBR Breach

Three Trees Data Leak Exposes Personal Information of Over 40,000 Customers and Delivery Drivers

Breach coverage centered on exposed data, scope clarification and immediate containment priorities.

Potential exposure event. Confirm scope, identify affected accounts or records and move quickly on resets, notifications and monitoring.
Three Trees Data Leak Exposes Personal Information of Over 40,000 Customers and Delivery Drivers - HackWatch breach alert image
HackWatch breach alert image for: Three Trees Data Leak Exposes Personal Information of Over 40,000 Customers and Delivery Drivers
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Artur Ślesik

Published: Apr 23, 2026

Updated: May 01, 2026

Incident status: Resolved or patched

Corroborating sources: 4

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for infrastructure impact, containment order and whether persistence or lateral-movement claims are supported by evidence. His administrator note is concrete: isolate the host or segment first, protect logs and network telemetry, then rebuild, rotate or patch only within the scope supported by the 4 corroborating sources, the same cautious sequence he would use around managed router and server environments.

Review our editorial policy or send corrections to [email protected].

Resolved or patched. Source coverage indicates that a fix or formal remediation has been published. Verify that updates are applied in your environment.

A misconfigured MongoDB database belonging to California-based marijuana delivery service Three Trees exposed sensitive data of at least 40,000 individuals, including customers and delivery drivers. This HackWatch alert reviews documented reporting of the breach, its impact, and actionable steps users can take to protect themselves.

What happened

California-based marijuana delivery service Three Trees suffered a significant data exposure due to an unsecured MongoDB database. The misconfiguration allowed public access to sensitive personal information belonging to at least 40,000 individuals, including both customers and delivery drivers. This incident was uncovered and reported by Cybernews and other cybersecurity sources, highlighting a critical lapse in database security practices.

Confirmed facts

  • The exposed database was a MongoDB instance that lacked proper access controls, making it publicly accessible on the internet.
  • The leak included personally identifiable information (PII) such as names, addresses, phone numbers, and potentially other sensitive data related to customers and delivery personnel.
  • At least 40,000 records were exposed, indicating a large-scale breach affecting a significant portion of Three Trees’ user base.
  • No evidence has yet been reported regarding active exploitation of the data, but the unsecured nature of the database meant anyone with basic knowledge could access the information.

Who is affected

  • Customers who have used Three Trees’ marijuana delivery services in California.
  • Delivery drivers employed or contracted by Three Trees.

Given the size of the database, the breach likely encompasses a wide geographic area within California and possibly includes recent and past customers and drivers.

What to do now

If you are a customer or delivery driver for Three Trees, take the following steps immediately:

  1. Monitor your personal accounts: Watch for any suspicious activity on your email, bank, and other online accounts.
  2. Change passwords: Update passwords for accounts associated with your email or phone number, especially if you reused passwords.
  3. Enable two-factor authentication (2FA): Wherever possible, enable 2FA to add an extra layer of security.
  4. Beware of phishing attempts: Scammers may use your leaked information to craft convincing phishing emails or calls. Verify the identity of anyone requesting personal or financial information.
  5. Check for identity theft: Use credit monitoring services or request a credit report to detect unauthorized activity.
  6. Contact Three Trees: Reach out to the company for official statements and any offered remediation or support.

How to secure yourself

  • Use unique, strong passwords: Avoid password reuse across multiple services.
  • Regularly update software and devices: Keep systems patched to prevent exploitation of vulnerabilities.
  • Be cautious with unsolicited communications: Verify the legitimacy of emails or calls, especially those referencing your personal data.
  • Consider a credit freeze: If you suspect identity theft, freezing your credit can prevent new accounts from being opened in your name.
  • Stay informed: Follow updates from Three Trees and cybersecurity news outlets to learn about any further developments.

FAQ

How do I know if my data was exposed in the Three Trees breach?

You can check if your information was part of the exposed database by contacting Three Trees directly or monitoring cybersecurity breach notification sites. If you have used their services recently, assume your data may be compromised and take precautionary measures.

What specific information was leaked?

The exposed data included names, addresses, phone numbers, and possibly other personal details of customers and delivery drivers.

Can I sue Three Trees for this data breach?

Legal recourse depends on the jurisdiction and whether Three Trees complied with data protection laws. Consult a legal professional for advice specific to your situation.

Is the leaked data being sold on the dark web?

There is no verified report of the data being sold yet, but unsecured data is often harvested by cybercriminals for illicit use. Stay alert for suspicious activity.

What should delivery drivers do differently after this breach?

Drivers should monitor their accounts closely, change passwords, and be wary of phishing attempts that may use their personal information.

How can companies prevent unsecured databases?

Implement strict access controls, use encryption, conduct regular security audits, and employ automated tools to detect misconfigurations.

Has Three Trees issued a public statement?

As of this article's publication, no official public statement from Three Trees has been widely reported. Users should seek updates directly from the company.

Are there any recommended credit monitoring services?

Services like Experian, Equifax, TransUnion, and third-party providers such as IdentityForce and LifeLock offer credit monitoring and identity theft protection.

What regulatory actions could follow this breach?

Regulators may investigate Three Trees for compliance with data protection laws and potentially impose fines or require remediation measures.

Why this matters

This breach underscores the ongoing risks posed by misconfigured cloud databases, a common vulnerability exploited by attackers. For the cannabis delivery industry, which handles sensitive personal data, such exposures can erode customer trust and invite regulatory scrutiny.

The incident highlights the critical need for companies to adopt robust cybersecurity practices, including proper database security configurations, continuous monitoring, and rapid incident response. For individuals, it serves as a reminder to maintain proactive security habits in an era where data breaches are increasingly frequent and impactful.

Sources and corroboration

This article is based primarily on reporting from Cybernews and SC Magazine, which have independently verified the exposure of Three Trees’ database and the scale of the data leak. Additional cybersecurity experts have analyzed the breach to confirm the nature of the vulnerability and its implications.

  • https://www.scworld.com/brief/unsecured-database-exposes-three-trees-customer-delivery-driver-data
  • Cybernews reporting on Three Trees database exposure

By consolidating these sources, this article provides a comprehensive and actionable overview of the incident.

Sources used for this article

securityweek.com, redhotcyber.com, BleepingComputer, scmagazine.com

Artur Ślesik

Real reviewer profile

Artur Ślesik

Founder of HackWatch.io and WEB-NET; Editorial Reviewer

Open reviewer profile

Artur Ślesik is the founder of HackWatch.io and WEB-NET, a real named reviewer with 17+ years of experience building and maintaining web portals.

Coverage focus: Secure web portals, phishing prevention, user-facing recovery guides and practical web-security review

Editorial disclosure: This is a real named founder profile. HackWatch does not claim unverified security certifications, SOC employment history or CERT incident-response credentials for Artur. Security guidance is grounded in public sources, HackWatch tooling and first-hand web-portal experience.

Artur leads this phishing alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Three Trees Data Leak Exposes Personal Information of Over 40,000 Customers and Delivery Drivers".

Secure web portals and publishing operationsPhishing prevention and account-safety guidanceUser-facing recovery playbooks