Hackers Attacked an Anonymous Site for Sending Faeces by Mail

The media reported that hackers had attacked ShitExpress, an anonymous site for sending animal feces. The web service allows sending a “gift” with animal excrement (with a personalized message) to friends and enemies by mail.

One of the “clients” of the service discovered a vulnerability that allowed him to steal the resource database, which is now published on the hacker forum.

Imagine the people who piss you off the most. Annoying colleague. School teacher. Your ex-wife. Bad boss. Jealous neighbor. That successful former classmate. What if you could send them a stinky surprise? Nothing compares to the look on the face of the recipient after opening the box! creators of ShitExpress write.

Let me remind you that we also wrote that Hacked Software Hunters May Be Victims of FakeCrack Malware Campaign.

Bleeping Computer, which reported the hack, says the process for buying ShitExpress looks like this:

  1. the client selects the animal whose feces will be sent to the addressee (eg “organic, wet horse poop”);
  2. indicates the delivery address;
  3. selects the personalization of the package, for example, a sticker with a smiley face;
  4. pays for the order.

Faeces sending site

Payments can be made both with a bank card and in cryptocurrency. Moreover, the service promised its visitors complete anonymity even in the case of payment by card.

Recently, a person known by the nickname pompompurin decided to use this service. This is the owner of the hacker forum Breached.co, which previously stole data from companies such as QuestionPro and Mangatoon, and he also has put information of about 7 million Robinhood users for sale.

According to pompompurin himself, he decided to send a box of faeces to the famous information security researcher Vinny Troia. The fact is that many former members of RaidForums, including pompompurin, have been at odds with the expert for quite a long time because of his investigations in general and the report on the hack group The Dark Overlord in particular.

The conflict escalated to the point where, in late 2021, pompompurin hacked into the FBI servers and sent out fake cyberattack alerts, claiming Vinnie Troy was responsible for these incidents.

Troy, in turn, even created a change.org petition asking world leaders to extradite pompompurin to the US.

This time, while visiting ShitExpress, pompompurin discovered that the site was vulnerable to SQL injection. As a result, the hacker hacked the resource and was able to access all customer messages, email addresses and other personal data related to orders. Now he’s posting some particularly funny messages from ShitExpress customers on his forum and posted the stolen database there.

Faeces sending site

The hacker told reporters that he was surprised by the small size of the ShitExpress customer base: pompompurin found information about approximately 29,000 orders. He also confirmed that after the discovery of the vulnerability, he did not extort money from site owners, but simply stole the database.

Bleeping Computer journalists also contacted ShitExpress representatives, who admitted the hack:

We noticed unusual activity on our server four days ago and discovered that one of our scripts was vulnerable to SQL injection. This is solely our fault – a human error that could happen to anyone. The problem was found by one of our customers. We corrected this error immediately.

Please understand that this is just a joke site. There were no ransom demands. Nothing really happened.

If a visitor uses a form on our website, all data is stored in our database. Basically, it’s all rubbish because people play pranks on their friends – they enter their details + email address and leave. After that, we send them an email asking them to pay for the order, and the prankster freaks out trying to figure out who did it.

As mentioned on our site, we never reveal the real identity of the sender, simply because we don’t have personal information about the people who filled out the form on our site. If someone paid with cryptocurrency, it is obviously very safe and anonymous. If they paid with a credit card, all the information remained with the payment system. It’s that simple.

The publication notes with irony that many large companies should learn from ShitExpress how to respond to such incidents.

About the author

Carina Wilson

With over 10 years' experience of writing for online and print media, I'm an expert in delivering clear and compelling copy.

I've written for a leading SEO copywriting agency as well as writing for some of the UK’s best known brands, magazines and newspapers.

Leave a Comment