A known threat actor has hacked his way into notorious revenge website ShitExpress and leaked the company’s secure data, including customer email addresses and the messages they sent through the platform.
ShitExpress is an online service that allows people to send actual faeces, through the post, to whomever they desire. It’s designed to be a prank site, where people can purchase a piece of animal faeces and have it delivered to someone’s door, in a box, together with a personalized message.
You can imagine the type of messages someone would send together with a piece of animal dung to their cheating former partners, horrible ex boss, or noisy neighbor – hence why this leak might be troubling to many customers.
SQL Injection flaw
As reported by BleepingComputer, a user going by the name “pompompurin” visited the site in order to send a box to his long-time arch-nemesis, cybersecurity researcher, Vinny Troia. The two go way back, pranking and harassing each other for quite some time, the publication reported.
Upon opening the site, he realized that it was vulnerable to SQL Injection, and soon Mr pompompurin was soon sifting through email addresses, customer messages, and other private data (opens in new tab) associated with the orders.
A day after successfully compromising the site, he leaked the database on a hacking forum. Speaking to the publication about it, pompompurin said the database was surprisingly small: “It’s honestly not that big… There’s about 29,000 orders in the data,” he said.
He also said that he didn’t do it for ransom or anything similar. “I gained access a day before I leaked it, and I notified the website owner after dumping the data. [I’m] not sure if they’ve acknowledged or anything as of yet,” he confirmed.
In response to the incident, ShitExpress acknowledged the breach, and took responsibility, saying: “It’s purely our fault — a human error that could happen to anyone. It was found by one of our customers. We fixed the error immediately.”
As this is a prank site, that gathers almost no customer data at all, there was nothing particular to leak from the compromised endpoints (opens in new tab). Payment data was left with the payment provider, meaning pompompurin never got it.
Via: BleepingComputer (opens in new tab)