ShitExpress, a web service that lets you send a box of feces along with a personalized message to friends and enemies, has been breached after a “customer” spotted a vulnerability.
Except, in an interesting twist, rather than responsibly reporting the vulnerability, the customer who is a known threat actor ended up exploiting the bug and downloading the entire database.
This database was then shared on a hacking forum, exposing the angry, and sometimes hysterical, personal messages sent by the customers with the gifts.
Shit delivery service hacked
“A simple way to send a piece of shit in a box around the world,” ShitExpress describes what is a prank web service where customers can purchase and deliver real animal feces to friends or frenemies located anywhere in the world.
“Imagine all the people who annoy you the most. An irritating colleague. School teacher. Your ex-wife. Filthy boss. Jealous neighbour. That successful former classmate. Or all those pesky haters,” states the homepage of ShitExpress.
“What if you could send them a smelly surprise? There is nothing that could replace the expression on the recipient’s face after opening the box!”
ShitExpress’ 4-step buying process involves:
Choosing an animal, ahem excrement, e.g. organic, wet horse poop.
Providing a shipping address
Customizing packaging, e.g. with a smiley sticker
Paying for your order
Payments can be made via credit card or Bitcoin. The service promises its patrons complete anonymity, even when paying via credit card.
But this time around, ShitExpress was visited by an interesting customer—pompompurin, the owner of Breached.co hacking forum and a well-known hacker who has previously stolen private data from companies like QuestionPro and Mangatoon. The hacker also previously put up stolen data of 7 million Robinhood customers for sale online.
According to a forum post authored by pompompurin, the hacker recently visited ShitExpress to send a box of poop to cybersecurity researcher Vinny Troia.
Former members of RaidForums including pompompurin (who now owns Breached.co) and Troia are purportedly in a long-standing feud with each other over the researcher’s interactions with the hacker community and a report on The Dark Overlord.
This feud has led to Pompompurin hacking the FBI servers to send false alerts about cyberattacks in November 2021, conducted by “threat actor” Vinny Troia.
At one point, Troia even mawkishly launched a change.org petition, asking international leaders to extradite pompompurin to the U.S.
Recently, when pompompurin visited ShitExpress to send a token of appreciation to Troia, the hacker realized the website was vulnerable to SQL Injection.
The hacker was able to access customer messages, email addresses, and other private data associated with customer orders.
This Tuesday, pompompurin also shared a small sample data set containing a preview of multiple database tables hosted by ShitExpress.
Some of the messages contained in the orders are shown below. BleepingComputer has redacted messages with overly explicit wording that readers may find offensive.
Some other messages in the sample data set seen by BleepingComputer included:
“I saw a cockroach today and thought of you… I stepped on it”
“This gift shows my thanks for your hard work, and is a symbol of how great my team thinks you are. ENJOY!”
When approached by BleepingComputer for verification, pompompurin states they were surprised that the customer database wasn’t as big as they had expected.
“It’s honestly not that big… There’s about 29,000 orders in the data,” pompompurin told BleepingComputer. The hacker stated on Twitter though, that the website had 60,000 users. It appears not every user who’s registered on the website has placed an order.
pompompurin further confirmed having exploited ShitExpress via SQL Injection but that they did not extort the site owners with a ransom demand.
“I gained access a day before I leaked it, and I notified the website owner after dumping the data. [I’m] not sure if they’ve acknowledged or anything as of yet,” concluded the hacker.
ShitExpress DOES give a crap about security
To confirm the authenticity of the forum post, we reached out to ShitExpress. A ShitExpress spokesperson told BleepingComputer:
“We have spotted some unusual activity on our server 4 days ago and found out that one of our script is vulnerable to SQL injection,” It’s purely our fault — a human error that could happen to anyone. It was found by one of our customers. We fixed the error immediately.
Please understand that this is a simple prank site. There is no ransom demand. Nothing really happened.
If a website visitor uses the form on our site, all the details are stored in our database. It’s mostly junk because people are pranking their friends — they enter their data + email address and leave. After that, we send them email to pay for their order and the pranked person is freaking out, trying to find out who did that.
As mentioned on our site, we never reveal the real identity — simply because we don’t have any personal information of the people who filled the form on our website. If someone pays with a cryptocurrency, it’s obviously very safe and anonymous. If they pay by credit card, all the information stays with the payment processor. It’s simple as that.”
More companies should follow ShitExpress’ lead when it comes down to promptly responding to security issues, and owning up to data breaches, transparently.
And, as they say, “This shit is hilarious!”
