Cyber Incident Victim: ShitExpress
Date:
Aug 2022
Location:
United States of America
Summary
A threat actor exploited an SQL Injection vulnerability in an anonymous fecal gifting service, compromising customer messages, email addresses, and private data. The attacker—a known hacker—accessed and leaked the database containing approximately 29,000 orders on a hacking forum, exposing inflammatory and humorous messages intended for recipients. The breach stemmed from human error in a vulnerable script, which the company claimed was promptly fixed while asserting customer data was securely stored without retaining personal information. No extortion attempts occurred despite the unauthorized data disclosure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 11, 2022, ShitExpress, an anonymous fecal matter gifting service, suffered a data breach when a known threat actor exploited an SQL Injection vulnerability. The attacker, identified as Pompompurin—operator of the Breached.co hacking forum and a prominent hacker—had initially visited the site intending to send a prank fecal gift to cybersecurity researcher Vinny Troia. During this process, Pompompurin discovered and weaponized the vulnerability to extract the site’s entire customer database. The stolen records included customer email addresses, private messages composed by senders, and other unspecified personal data. Pompompurin subsequently leaked portions of the database on a hacking forum, exposing thousands of explicit, humorous, or hostile messages intended for recipients. Examples included messages referencing violence toward insects as metaphors for disdain and sarcastic acknowledgments of professional efforts. ShitExpress later attributed the breach to human error in a vulnerable script but did not disclose technical specifics of the flaw or the exact timeline of exploitation.
The breach compromised approximately 29,000 customer orders, revealing both sender messages and recipient contact details. ShitExpress confirmed the incident publicly, stating they addressed the vulnerability immediately upon discovery and asserted that no sensitive personal information beyond emails and messages was retained in their systems. The company emphasized its role as a prank service with no financial extortion attempted by the attacker. Exposed messages demonstrated the platform’s use for personal grievances and antagonistic humor, creating reputational risks for both senders and recipients. No evidence suggested financial data theft or downstream fraud linked to the breach. The attacker did not demand ransom from ShitExpress or its users, distinguishing the incident from financially motivated breaches. Operational impacts included temporary disruption while the flaw was patched, though the service resumed normal function shortly after mitigation. The event underscored vulnerabilities in niche online services with unconventional business models, particularly those handling interpersonal communications without robust security controls.