The hacker, pompompurin stated that he discovered a SQL injection vulnerability while he is sending feces to a cybersecurity researcher.

The website accepts payments with credit cards and Bitcoins but they do not store any personal information about the customers.

ShitExpress confirmed that there was a vulnerability in a script and pompompurin claimed that he is not demanding ransom from the company.

ShitExpress is a popular web service allowing customers to send a box of feces with a message anonymously. The website’s database was shared on a hacking forum revealing all the messages sent by previous customers along with the boxes. A notorious hacker, who also happens to be a customer, found a vulnerability and exploited it.

The entire database is stolen

Although it is an unusual service, the service is similar to any other website. Sending feces to someone you know requires only these steps:

Choosing the animal and the type of feces

Providing the address

Customize packaging

Payment

The website payments both with credit cards or Bitcoin and promises complete anonymity, even when paying with a credit card. However, recently the website was visited by an extraordinary customer.

According to a forum post published by pompompurin, a notorious hacker who is responsible for stealing private data from companies, the hacker visited ShitExpress to send feces to cybersecurity researcher Vinny Troia. While he is sending feces, he noticed a vulnerability on the website, allowing the hacker to make an SQL injection attack. The hacker managed to download the entire database from the website, including customer messages, email addresses, and other customer order data. Pompompurin shared a small sample data set from the stolen database, which revealed very angry and creative messages sent by customers.

29,000 orders in the database

Pompompurin stated that there are approximately 29,000 orders in the database. The hacker also claims that they didn’t contact the site owners with a ransom demand. Pompompurin also stated that they have notified the website owner. According to online sources, the company confirmed that one of their scripts is vulnerable to SQL injection and they spotted some unusual activity on the server. The company said they are sending an email to customers allowing them to pay for their order and they don’t have any personal information. Even if the customer pays with a credit card, all the information stays with the payment processor.