A Poop-Delivery Service Was Hacked

pcmag.com:

A service that allows people to anonymously send animal feces to someone else has been hacked.

BleepingComputer reports(Opens in a new window) that ShitExpress, which bills itself as "a simple way to send a piece of shit in a box around the world," was recently breached. Some data taken from the site—including customer email addresses paired with the messages they sent along with the box of poop—has been made public.

The data was taken from a ShitExpress database by a hacker known as "Pompompurin." If that sounds familiar, it's probably because in November 2021, the same hacker exploited a flaw in the FBI's website to send emails from the "[email protected]" domain. And it turns out the hacks are tangentially related.

Pompompurin's fake emails told system administrators their networks had been compromised by a "threat actor" known as Vinny Troia—who is actually a security researcher. Pompompurin told BleepingComputer they found the flaw that exposed ShitExpress customer data while using the service to send feces to Troia.

That means Pompompurin has discovered, exploited, and disclosed at least two security problems as part of the feud with Troia. The first was in a portal that allowed Pompompurin to send messages that appeared to come from the FBI; the second was in a database for a service used to send people animal poop.

ShitExpress has reportedly addressed the vulnerability Pompompurin exploited to collect this customer data. It's also continuing to process orders, and at time of writing, it says on its website that someone used its services just 16 minutes ago.

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals,