A known threat actor has hacked into the notorious retaliation site ShitExpress and leaked the company’s security data, including customer email addresses and messages they sent through the platform.
ShitExpress is an online service that allows people to mail actual shit to anyone they want. It’s designed as a hoax website where people can buy a piece of animal poop and put it in a box to be delivered to someone’s door along with a personalized message.
You can imagine the type of message someone would send along with a piece of animal feces to their cheating ex-partner, scary ex-boss, or rowdy neighbor – hence why this leak might upset many customers.
SQL Injection Vulnerability
According to reports Bilibili computer, a user named “pompompurin” visited the site in order to send a box to his longtime nemesis, cybersecurity researcher Vinny Troia. According to the publication, the two went back for an extended period of time, pranking and harassing each other.
After opening the site, he realized it was vulnerable to SQL injection, and soon Mr. Pompompurin began sifting through email addresses, customer messages, and other private data (opens in new tab) associated with the order.
A day after he successfully hacked the site, he leaked the database on a hacking forum. The database is surprisingly small, pompompurin said of the publication: “Honestly, it’s not that big… There are about 29,000 orders in the data,” he said.
He also said he didn’t do it for ransom or anything like that. “I gained access the day before I leaked it and notified the site owner after dumping the data. [I’m] Not sure if they have admitted or anything,” he confirmed.
In response to the incident, ShitExpress admitted the breach and took responsibility, saying: “This is purely our fault – human error can happen to anyone. This was discovered by one of our customers. We fixed the error immediately. .”
Since this is a hoax site and hardly any customer data is collected, there is nothing special to leak from a compromised endpoint (opens in new tab). Payment data is left by the payment provider, which means pompompurin never gets it.
pass: Bilibili computer (opens in new tab)
