For those who are not familar with Sh*tExpress and its services, it is an online operation which allows you to send poo though the post to whomever you desire. It’s designed to be a prank site, where people can purchase a piece of animal faeces and have it delivered to someone’s door, in a box, together with a personalised message.
The sort of people who feel motivated to send animal poo in the post are not likely to be happy with the sender and it is a number two weapon of choice for those who have cheating former partners, horrible ex boss, or neighbour who plays the works of Céline Marie Claudette Dion very loudly.
There is a saying that when you are shipping revenge poo the last thing you want is a leak.
According to BleepingComputer, a user going by the name “pompompurin” visited the site in order to send a box to his long-time arch-nemesis, cybersecurity researcher, Vinny Troia.
Upon opening the site, he realised that it was vulnerable to SQL Injection, and soon Mr pompompurin was soon sifting through email addresses, customer messages, and other private data(opens in new tab) associated with the orders.
A day after successfully compromising the site, he leaked the database on a hacking forum. Speaking to the publication about it, pompompurin said the database was surprisingly small: "There's about 29,000 orders in the data," he said. Which we have to admit is a lot of sh*t shifted.
In response to the incident, ShitExpress acknowledged the breach, and took responsibility, saying: "It's purely our fault -- a human error that could happen to anyone. It was found by one of our customers. We fixed the error immediately.”
As this is a prank site, that gathers almost no customer data at all, there was nothing particular to leak from the compromised endpoints(opens in new tab). Payment data was left with the payment provider, meaning pompompurin never got it.