A known threat actor hacked the notorious revenge website ShitExpress and leaked a lot of data, including customer’s email addresses and messages they sent via the platform.
ShitExpress is an online service that allows people to send real feces to whomever they want by mail. It started as a prank site where people could buy a piece of animal excrement and have it delivered to someone’s doorstep in a box with a personalized message.
You can imagine the messages someone would send to their cheating ex-partners, their horrible ex-boss, or their noisy neighbors along with a bit of animal dung, so this leak seems troubling to many customers.
As reported by BleepingComputer, a user named “pompompurin” visited the site to send a box to his longtime nemesis, cybersecurity researcher Vinny Troia. The two had been joking and bickering with each other for a long time, the broadcast reported.
After opening the site, it realized that it was vulnerable to SQL Injection, and pompompurin soon began skimming email addresses, customer messages, and other private data about orders.
A day after successfully hijacking the site, it leaked its database on a hacking forum. Speaking to the publication about this, pompompurin said the database is surprisingly small: “It’s not that big to be honest… There are about 29,000 orders in the data,” he said.
He also said he wasn’t doing it for ransom or anything like that: “I gained access the day before the leak and informed the website owner after spilling the data. I’m not sure if [they] agreed or anything yet.”
In response to the incident, ShitExpress acknowledged the breach and claimed responsibility: “This is entirely our fault – a human error that can happen to anyone. Found by a customer. We fixed the error right away.”
8687
