https://www.bleepingcomputer.com/news/security/anonymous-poop-gifting-site-hacked-customers-exposed/ BleepingComputer.com logo * * * [ ] [Login] [Sign up] * * * [ ] [Login] [Sign up] * News + Featured + Latest + Twilio: 125 customers affected by data breach, no passwords stolen Twilio: 125 customers affected by data breach, no passwords stolen + Xiaomi phones with MediaTek chips vulnerable to forged payments Xiaomi phones with MediaTek chips vulnerable to forged payments + Ransomware gangs move to 'callback' social engineering attacks Ransomware gangs move to 'callback' social engineering attacks + CISA warns of Windows and UnRAR flaws exploited in the wild CISA warns of Windows and UnRAR flaws exploited in the wild + Microsoft is showing ads for Microsoft 365 in Office 2021 Microsoft is showing ads for Microsoft 365 in Office 2021 + Chinese hackers backdoor chat app with new Linux, macOS malware Chinese hackers backdoor chat app with new Linux, macOS malware + Anonymous poop gifting site hacked, customers exposed Anonymous poop gifting site hacked, customers exposed + Microsoft blocks UEFI bootloaders enabling Windows Secure Boot bypass Microsoft blocks UEFI bootloaders enabling Windows Secure Boot bypass * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * Virus Removal Guides + Latest + Most Viewed + Ransomware + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove the Smashapps.net Search Redirect Remove the Smashapps.net Search Redirect + Remove the Smashappsearch.com Search Redirect Remove the Smashappsearch.com Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Tutorials + Latest + Popular + How to open a Windows 11 Command Prompt as Administrator How to open a Windows 11 Command Prompt as Administrator + How to make the Start menu full screen in Windows 10 How to make the Start menu full screen in Windows 10 + How to install the Microsoft Visual C++ 2015 Runtime How to install the Microsoft Visual C++ 2015 Runtime + How to open an elevated PowerShell Admin prompt in Windows 10 How to open an elevated PowerShell Admin prompt in Windows 10 + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * Forums * More + Startup Database + Uninstall Database + File Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide * Home * News * Security * Anonymous poop gifting site hacked, customers exposed * * Anonymous poop gifting site hacked, customers exposed By Ax Sharma * August 12, 2022 * 04:15 PM * 0 woman holding gift ShitExpress, a web service that lets you send a box of feces along with a personalized message to friends and enemies, has been breached after a "customer" spotted a vulnerability. Except, in an interesting twist, rather than responsibly reporting the vulnerability, the customer who is a known threat actor ended up exploiting the bug and downloading the entire database. This database was then shared on a hacking forum, exposing the angry, and sometimes hysterical, personal messages sent by the customers with the gifts. Shit delivery service hacked "A simple way to send a piece of shit in a box around the world," ShitExpress describes what is a prank web service where customers can purchase and deliver real animal feces to friends or frenemies located anywhere in the world. "Imagine all the people who annoy you the most. An irritating colleague. School teacher. Your ex-wife. Filthy boss. Jealous neighbour. That successful former classmate. Or all those pesky haters," states the homepage of ShitExpress. "What if you could send them a smelly surprise? There is nothing that could replace the expression on the recipient's face after opening the box!" ShitExpress' 4-step buying process involves: * Choosing an animal, ahem excrement, e.g. organic, wet horse poop. * Providing a shipping address * Customizing packaging, e.g. with a smiley sticker * Paying for your order Payments can be made via credit card or Bitcoin. The service promises its patrons complete anonymity, even when paying via credit card. buying stepsShitExpress 4-step buying process simplified But this time around, ShitExpress was visited by an interesting customer--pompompurin, the owner of Breached.co hacking forum and a well-known hacker who has previously stolen private data from companies like QuestionPro and Mangatoon. The hacker also previously put up stolen data of 7 million Robinhood customers for sale online. According to a forum post authored by pompompurin, the hacker recently visited ShitExpress to send a box of poop to cybersecurity researcher Vinny Troia. Former members of RaidForums including pompompurin (who now owns Breached.co) and Troia are purportedly in a long-standing feud with each other over the researcher's interactions with the hacker community and a report on The Dark Overlord. This feud has led to Pompompurin hacking the FBI servers to send false alerts about cyberattacks in November 2021, conducted by "threat actor" Vinny Troia. At one point, Troia even mawkishly launched a change.org petition, asking international leaders to extradite pompompurin to the U.S. Recently, when pompompurin visited ShitExpress to send a token of appreciation to Troia, the hacker realized the website was vulnerable to SQL Injection. The hacker was able to access customer messages, email addresses, and other private data associated with customer orders. This Tuesday, pompompurin also shared a small sample data set containing a preview of multiple database tables hosted by ShitExpress. Some of the messages contained in the orders are shown below. BleepingComputer has redacted messages with overly explicit wording that readers may find offensive. Hacker posts ShtExpress data on forum post Hacker shares ShitExpress sample data set on forum post (BleepingComputer) Some other messages in the sample data set seen by BleepingComputer included: "I saw a cockroach today and thought of you... I stepped on it" "This gift shows my thanks for your hard work, and is a symbol of how great my team thinks you are. ENJOY!" When approached by BleepingComputer for verification, pompompurin states they were surprised that the customer database wasn't as big as they had expected. "It's honestly not that big... There's about 29,000 orders in the data," pompompurin told BleepingComputer. The hacker stated on Twitter though, that the website had 60,000 users. It appears not every user who's registered on the website has placed an order. pompompurin further confirmed having exploited ShitExpress via SQL Injection but that they did not extort the site owners with a ransom demand. "I gained access a day before I leaked it, and I notified the website owner after dumping the data. [I'm] not sure if they've acknowledged or anything as of yet," concluded the hacker. ShitExpress DOES give a crap about security To confirm the authenticity of the forum post, we reached out to ShitExpress. A ShitExpress spokesperson told BleepingComputer: "We have spotted some unusual activity on our server 4 days ago and found out that one of our script is vulnerable to SQL injection," It's purely our fault -- a human error that could happen to anyone. It was found by one of our customers. We fixed the error immediately. Please understand that this is a simple prank site. There is no ransom demand. Nothing really happened. If a website visitor uses the form on our site, all the details are stored in our database. It's mostly junk because people are pranking their friends -- they enter their data + email address and leave. After that, we send them email to pay for their order and the pranked person is freaking out, trying to find out who did that. As mentioned on our site, we never reveal the real identity -- simply because we don't have any personal information of the people who filled the form on our website. If someone pays with a cryptocurrency, it's obviously very safe and anonymous. If they pay by credit card, all the information stays with the payment processor. It's simple as that." More companies should follow ShitExpress' lead when it comes down to promptly responding to security issues, and owning up to data breaches, transparently. And, as they say, "This shit is hilarious!" Related Articles: Hacker claims to have stolen data on 1 billion Chinese citizens Twilio: 125 customers affected by data breach, no passwords stolen Twilio discloses data breach after SMS phishing attack on employees Twitter confirms zero-day used to expose data of 5.4 million accounts CNN-News18 allegedly hacked to deny PayTM hack claims * Data Breach * Data Leak * SQL Injection * * * * * Ax Sharma Ax Sharma is a Security Researcher and Tech Reporter. His works and expert analyses have frequently been featured by leading media outlets including Fortune, Business Insider, The Register, TechRepublic, etc. Ax's expertise lies in vulnerability research, malware analysis, and open source software. He's an active community member of the OWASP Foundation, Open Source Security Foundation (OpenSSF), and the British Association of Journalists (BAJ). Send any tips via email or Twitter DM. * Previous Article * Next Article Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] Popular Stories * Cisco Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen * Microsoft 365 Microsoft 365 outage triggered by Meraki firewall false positive Newsletter Sign Up To receive periodic updates and news from BleepingComputer, please use the form below. [ ] [Submit] Newsletter Sign Up [ ] [Submit] * Follow us: * * * * Main Sections * News * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * File Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement Copyright @ 2003 - 2022 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT