Recently a major Cannabis POS provider – with over 11 million in funding, 23 million pounds tracked to date, and operating in 30+ states & 4 countries – found itself on the business end of a “sophisticated digital attack” not once, not twice, but thrice. Or maybe four times; Gross mismanagement of the situation and a lack of transparency made it hard to tell. Their story went from “our 3rd party security auditors verified that only an unsuccessful attempt was made”, to “no wait, make that a successful attempt, but with no loss of PII”, to “ok, all our source code and much of your patient data is on ThePirateBay and our systems will be down for the next month”. Through a combination of OSINT, (ethical) social engineering, and close examination of source code, I hope to shed light on what actually happened, and how a large portion of all dispensaries in the country can be forced to manually write down sales & gov contracts be lost w/out more outrage from the industry. All eyes are on the industry right now and, given its precarious federal legal status, the next moves made will be crucial.