A website that lets people send boxes of animal mess to their enemies has been hacked, exposing details of customers and their messages.
ShitExpress is a revenge prank website that lets you send a box of actual animal dung to victims and a personalised message to ‘people who annoy you the most’.
A vulnerability on the site allowed a hacker to gain access to the company’s database of customer email addresses and the messages they sent through the platform.
An ongoing feud between a hacker going by the name ‘pompompurin’ and cybersecurity researcher, Vinny Troia, resulted in the hacker gaining access to the website’s customer data when he went on the site to order a box to be sent to Troia.
‘Pompompurin’ then leaked the database on a hacking forum, exposing the angry personal messages sent by customers.
One of the messages said: ‘I saw a cockroach today and thought of you… I stepped on it.’
Another said: ‘This gift shows my thanks for your hard work, and is a symbol of how great my team thinks you are. ENJOY!’
The hacker told Bleeping Computer that the data he downloaded was surprisingly small and that they did not hold it for ransom. Instead, they just notified the website owner after dumping the data.
He said: ‘It’s honestly not that big… There’s about 29,000 orders in the data.
‘We have spotted some unusual activity on our server 4 days ago and found out that one of our script is vulnerable to SQL injection. It’s purely our fault — a human error that could happen to anyone,’ a ShitExpress spokesperson told Bleeping Computer.
ShitExpress also clarified that the website did not store any personal information about its customers.
‘If someone pays with a cryptocurrency, it’s obviously very safe and anonymous. If they pay by credit card, all the information stays with the payment processor. It’s simple as that,’
ShitExpress accepts payments made via credit card or Bitcoin and promises its customers complete anonymity.