A identified menace actor has hacked his approach into infamous revenge web site ShitExpress and leaked the corporate’s safe knowledge, together with buyer e mail addresses and the messages they despatched via the platform.

ShitExpress is a web based service that permits folks to ship precise faeces, via the publish, to whomever they need. It’s designed to be a prank web site, the place folks should buy a chunk of animal faeces and have it delivered to somebody’s door, in a field, along with a personalised message. 

You’ll be able to think about the kind of messages somebody would ship along with a chunk of animal dung to their dishonest former companions, horrible ex boss, or noisy neighbor – therefore why this leak is likely to be troubling to many shoppers.

SQL Injection flaw

As reported by BleepingComputer, a person going by the identify “pompompurin” visited the positioning with a purpose to ship a field to his long-time arch-nemesis, cybersecurity researcher, Vinny Troia. The 2 go approach again, pranking and harassing one another for fairly a while, the publication reported.

Upon opening the positioning, he realized that it was weak to SQL Injection, and shortly Mr pompompurin was quickly sifting via e mail addresses, buyer messages, and different private data (opens in new tab) related to the orders. 

A day after efficiently compromising the positioning, he leaked the database on a hacking discussion board. Chatting with the publication about it, pompompurin mentioned the database was surprisingly small: “It is actually not that massive… There’s about 29,000 orders within the knowledge,” he mentioned. 

He additionally mentioned that he didn’t do it for ransom or something comparable. “I gained entry a day earlier than I leaked it, and I notified the web site proprietor after dumping the info. [I’m] unsure in the event that they’ve acknowledged or something as of but,” he confirmed.

In response to the incident, ShitExpress acknowledged the breach, and took duty, saying: “It is purely our fault — a human error that might occur to anybody. It was discovered by considered one of our prospects. We mounted the error instantly.” 

As it is a prank web site, that gathers virtually no buyer knowledge in any respect, there was nothing explicit to leak from the compromised endpoints (opens in new tab). Cost knowledge was left with the fee supplier, which means pompompurin by no means bought it.

• These are the best firewalls (opens in new tab) proper now

Through: BleepingComputer (opens in new tab)

Sead is a seasoned freelance journalist based mostly in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, knowledge breaches, legal guidelines and rules). In his profession, spanning greater than a decade, he’s written for quite a few media shops, together with Al Jazeera Balkans. He’s additionally held a number of modules on content material writing for Characterize Communications.