Slashdot Mirror
Pizza Lovers Suffer Data Breach From Hell
netbuzz writes "Some 230,000 New Zealanders have been informed that their personal information has apparently fallen into the hands of hackers who compromised the network of a locally famous food chain, Hell Pizza. The company says it suspects 'a rogue employee,' but one security expert says Hell's ordering portal is 'about 50 steps of fail.' Several New Zealand celebrities are among the victims and at least one is taking the matter in stride, musing: 'My Twitter has been hacked, my Facebook has been hacked and I'm pretty sure half of New Zealand has my phone number already. I have nothing bad to say about Hell.'"
This reminds me of the time when I was 13. We had just got out of school and bicycled home. You know why? Because I, let me clarify _I_, had this new awesome game Lemmings. When we got to my house, I would fire up my Amiga and we would just laugh at the stupid lemmings jumping to their death if I didn't do something to stop them. Making them dig, guide others, or give them umbrellas - it was great.
The problem was that later on we obviously got hungry. This happened many times. Someone had to go get some food. Pizza was the obvious choice. But who would it be? I didn't want to. So we played a game of rock paper scissors. Damn, I lost. I tried to have an another round, but they didn't let me. There was nothing I could do.
I had to get up my ass and go get pizza. I asked my friends what they wanted. Adam said he wanted a delicious Pepperoni pizza. Jim said he wanted a Hawaiian pan pizza. I tried to remember their choices and took my bike. On the way over to the restaurant I tried to think what I want. Supreme pizza, double-cheese or maybe double bacon cheeseburger pizza?
I arrived at the pizza place. The taste was beautiful. I felt like I was home. I walked in and ordered three large pizzas, mine being the double bacon cheeseburger pizza. I felt so hungry. I just wanted to grab the pizza and eat. When the pizzas came, I had to eat there. I also took a few pieces of my friends pizzas because I wanted to taste them. Man I was happy.
Back then we didn't have credit cards, so I paid with the small amount of money that was in my pocket. No problems for the vendor, no problems for me, and everything worked greatly. The lesson being - pay with cash.
Shouldn't they be audited routinely if they conduct business online?
I'd hate it if half of New Zealand knew how much pizza I eat.
Or is the anonymous celeb indicating that he uses the same u/p for every single website he visits? Were that the case, it'd be interesting to see what other websites he/she has signed up for that haven't been compromised. I've heard you can't teach an old dog new tricks...
This isn't news.
Their server would execute any SQL query sent to it. The SQL queries were hard coded into the Flash objects they used.
My Twitter has been hacked, my Facebook has been hacked...
And hopefully he learned not to use the same password everywhere.
Hope it was a helluva good pizza.
It wasn't until I'd consumed it that I realized what was happening. Tom heartily recommended the new bread-disc, imploring I buy it with gusto:
"Pete this triple layer, cheese, anchovy, jalapeno, ape and pepperoni monster will be the takeaway of your life. They put cayenne in the tomato puree and man...just buy it. Gotta be tasted to be believed."
It's hardly common for that man to grant such an endorsement, and the next day I phoned up and got a jumbo 14" , the guy over the phone even said; 'We think you're gonna love it' - nobody ever said that to me in my illustrious history of calling up for food to my door! My heart did a little jump of the sort you get when for just a moment you swear you found a premium Ron Jeremy classic clip, or Heaven 17's 'Temptation' starting to play at a club as you instinctly haul your drunken, middle-aged self onto the dance floor for some old school self-embarassment for you and those around you - quality heartjumping you know?
I wasn't letting this occasion pass me by without making it memorable. I pulled out my deceased grandmother's candlelabra and stuck it onto the table together with purple wax scented candles I'd gotten from some hippy place in Camden years back. As I lit them and the lavender hit my nostrils it only accentuated the splendid truth that the pizza would soon arrive...
I texted Tom and a few other friends on my HTC Android, saying that some detailed pics of my consuming the bread mass and topping would follow. A simple smiley emoticon from Tom was the reply, but Tim from sports desk said...
"Pete I don't even wans to think abut your wrinkled visage and yellow-teeth digging into some pizza some guy told you was legendary. Get a grip or just put the pic on Facebook like any other conceited moron would. Or Digg...you'd probably get dugg 300 times minimum."
Bastard. Trying to rain on the parade - but there was the doorbell! I answered it, and a smiling young chap at the door said 'Hi that'll be £11.99 and here's a free bottle of Coke'.
I eagerly took the box and cola, handed over the exact change which was already prepared at the porch. The thought of the spicy clash of cayenne, jalapeno, salted ape and more was becoming less pleasent anticipation and more torture. I took my time putting the box by the table...relishing the prospect of chomping it down with abandon.
Then I opened the box......there was a 14 inch pizza but it was mere cheese and tomato! Cheese and tomato! That was it - bog-standard bullshit that I only bought in my student years due to financial stress!! An insult! Insult!
Like Tommy Wiseau in The Room I cried out a terrible and gargly cry and began a slow-paced trashing of my living room. The TV, a lovely Toshiba, went out of the window - my signed picture of Steven Jobs was smashed (later received a new frame), and I smeared the pizza over my sofa to devastating effect. The anger subsided...and although I managed to put together an omelette that night, these pizza woes will never leave me...I left a one-star review for the London Hell Pizza branch, and threatened legal action should my Android number ever find its way into some pranker's greasy mitts.
Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).
You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.
MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.
Who are they employing as security experts to use such an uncouth catchphrase in a serious discussion of security? Or has the spread of unfunny nerd culture spread so far into the ranks of the professional geek?
We invented nuclear physics you insensitive clod! http://en.wikipedia.org/wiki/Ernest_Rutherford
Maybe using that credit card number as a Twitter password wasn't such a good idea after all.
They play a pretty mean game of rugby... or so I've heard.
I will get my ass of your lawn immediately, SIR!!!!
This is a hacked account, for which the owner can not be held responsible.
The original breech was at least one year ago, but Hell chose to ignore it. Whoever made their website allowed SQL code to be run from the url.
Here's a blog by the owner of the geekzone forum that initially discovered the problem (because someone received spam from a disposable email address they used with the company.
It's actually brilliant pizza -- easily the best pie I've ever had outside of the USA (or Italy). Inventive topping combinations and skillfully made. I wish they'd open a franchise here in California.
I don't know if New York-style pizza can properly be called "pizza" by the definition most other places use. I like to think of it more as a highly efficient grease delivery system.
I wouldn't be in a such hurry to claim the Rutherford atom. I can't think of too many ideas (that won't go away from the popular imagination) that are the source of more wrong thinking. It's one of those ideas that actually impedes understanding.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
They play a pretty mean game of rugby...
Groups of large, sweaty, scantily-clad men gathering together for "energetic" group hugs?
"I don't know, therefore Aliens" Wafflebox1
I received an email from Hell just under a week ago:
"Dear Valued Hell Customer,
We have been approached by a party claiming to be in possession of
customer details from the previous Hell website which is no longer in
operation. The samples that we received included details of four customers
from 2006, including phone numbers and email addresses and order
information. We can confirm that credit card data was not at risk as this
is held independently on a secure banking website.
Whilst we are still investigating the matter, we can confirm that the
information was obtained without our knowledge and we have approached the
New Zealand Police with a view to lodging a formal complaint."
They were upfront and open to their clients about the data breach, in a world where most corporates prefer the 'duck and hide' tactic. I appreciated their honesty, and will continue to shop there.
Hell Pizza may suck on the security front (as evidenced by this story), but I have to say they make the best pizza I've ever had, anywhere... and that's a fairly ringing endorsement since I've eaten pizza on pretty much every continent on earth (including classic Italian pizza in Italy, New York pizza in New York, and so on).
It's also worth pointing out that while their security may suck, their web design is pretty awesome... Just playing with the cute little devils on their website
is a great time filler while you wait for your delivery.
My book about LSD and Self-Discovery
Also on facebook as: DroppingAcidDaleBewan
You either new or slow. You in CA. Let me give you some advice - switch over to tacos and burritos. You ain't gonna get decent pizza out here. Tacos and burritos here, though, are awesome. Tell him to hold the beans.
BTW, I love NY pizza - the sloppy, saucy, greasy slices. But midwest does the greasy grub best. Either way, you ain't getting it in loony Cali.
Sadly, this isn't the only computer system security SNAFU. It isn't often that you hear about it, but many of the systems I have seen are security WTFs. I continue to be amazed at how little some programmers understand about their trade, and I just don't have words for people who think the security of their computer systems isn't important. Getting a system that is completely secure may be too much to expect, but the least you can do is not make it easy for someone to walk right in and do whatever they want with your data after 5 minutes of observing the publicly accessible part of your system!
Please correct me if I got my facts wrong.
IMHO, Cicero's Pizza in San Jose has probably the best NY-style pizza outside of NY.
kc8apf
Comment removed based on user account deletion
I'm not saying that I like all my information shared, but if they know my favourite pizza the worst case scenario is they send me one, I will wipe away the tears as I eat it.
At least it deposed the plum-pudding model
support your local hooker. (look up rugby positions)
they only paid for low grade security and three sixes of uptime.
Good pizza though at the branches near me on the west island.
Uh, that's how everyone does it in Europe (as far as I know, I haven't eaten pizza in _all_ European countries).
Some non-Europeans seem to be rather... irritated by that though.
The email that I received from them:
"Dear Valued Hell Customer,
We have been approached by a party claiming to be in possession of customer details from the previous Hell website which is no longer in operation. The samples that we received included details of four customers from 2006, including phone numbers and email addresses and order information. We can confirm that credit card data was not at risk as this is held independently on a secure banking website.
Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint. Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website). As a further security measure your may wish to consider changing your passwords on other sites if they were the same as the old Hell Pizza website.
We apologise for the incident and any inconvenience that this may have caused.
Sincerely,
Stu McMullin – Director Hell Pizza
We acknowledge that some of you have asked to be removed from the database and we have only included you for the purposes of this notification. "
With the RFC'd angel bit on top?
Hell Pizza may suck on the security front (as evidenced by this story), but I have to say they make the best pizza I've ever had, anywhere... and that's a fairly ringing endorsement since I've eaten pizza on pretty much every continent on earth
I'm guessing they have frozen pizza in Antarctica ;)
Hells are ok, i see they say they have Australian stores - but I can't find where any of them are...
Oh well, lucky we have Crust.
...is why the hell some outfits feel the need to collect that much information about you just to sell you some food. After all, it doesn't make them a single extra sale. If you're not hungry, you're not going to buy a pizza.
Any shop that tries to get that kind of information out of me gets a flat refusal. Likewise, any venue that tries to take my fingerprints or iris scan.
When the world ends, there will not be any more any ingredients for Pizza, nor any bricks to build an oven or wood to fire it. Which doesn't matter, because there will also not be any belly to be filled either.
The Tao of math: The numbers you can count are not the real numbers.
Main think is the passwords. Ok, for the celeb also the phone number. The whole thing is that AGAIN they apparently had the passwords saved in plain text.
You could blame all the people who use the same passwords for many things and refuse to have a different password for each and every site they visit. I blame the people who have passwords in plain text saved. If that would not have happend, this would have been a non-issue story.
Don't fight for your country, if your country does not fight for you.
Troll, I know, but what is with this calling of pizza "pie"?
http://www.google.co.nz/images?hl=en&source=imghp&biw=1280&bih=782&q=pie&gbv=2&aq=f&aqi=&aql=&oq=&gs_rfai=
Yeah. The Morder and Unearthly (dessert pizza!) are simply superb. Many a late night spent gaming powered by that combo - just what you need for the freshly-minted Starcraft II.
Say what? Is it the 1990s again?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
And for a list of soon to be hacked sites, please see their client page.
"Tonight we dine in HEAVEN!!!" just doesn't have the same ring to it.
Mit der Dummheit kämpfen Götter selbst vergebens
Can you imagine the roll call?
Thompson, you got the banking industry, now make sure you are NOT distracted by those luscious red-headed twins they will send after you or for god sakes, say NO to the bulging envelopes of cash.
William, you got the pizza place down the block. And for god sakes, stay away from their cousin Agnes, she fancies you and the last guy was crushed to death when she jumped on him. Oh, you are a slashdot reader? Then this might be your only chance.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
"about 50 steps of fail"? Why did he miss the opportunity to describe it as "abandon all hope, ye who enter here"?
I am officially gone from
I continue to be amazed at how little some programmers understand about their trade
What makes you think programming is different from any other profession?
You'd be amazed at how many "professionals" have absolutely no idea what they're doing, in any industry!
Spoon not. Fork, or fork not. There is no spoon.
BTW their pizza sucks. the stores have this cheapo Goth theme decorated with that cheap Halloween crap from those seasonal costume stores.
And the pizza is worse than the worst Dominoes you ever had.. poor Kiwis have to suffer poor pizza and poor security.
Flight of the Conchords taught me that kiwis are still using Commodore 64's and dialup. YOU LIED TO ME, BRETT AND JERMAINE!
SJW: Someone who has run out of real oppression, and has to fake it.
It could be about the fact that there are various ingredients stack on a dough.
This is totally insecure, but very convenient.
I'm disappointed - why no gratuitous mention of Snow Crash in this thread?
http://www.acetonestudio.com
Is it just me or does it seem to be getting more socially acceptable for all of our information to get hacked. Even wikileaks is getting in on it. Starting to think that maybe I should get rid of all my online accounts and hide my money out back in a hole.
Pretty sure the website in use at the time (2006) was designed by a different company. I recall it being called Spikefin, but their website seems to have disappeared so I can't confirm it is the company I am thinking of.
Rutherford did far more than merely develop his model of the atom. He is undisputedly the father of nuclear physics.
It should be obvious that it's for tax purposes and to defeat illegal activity connected with gambling (money laundering).
Tax information is collected automatically here and so are your taxes. Any income from gambling is obviously taxable as well, so the government needs a way to collect that information.
Gambling is strictly regulated in the Scandinavian countries and Finland. We don't like gambling [politically] and it's not wide spread.
I don't think we even have a casino in Norway at all, the lottery is state run and private gambling outfits are banned. It's only a tax on stupid people anyway, I think my government is right to ban it. However if you want to blow your money on horse races you're free to do so.
Inject Design made their new site, the original site that was hacked was done by a company called Spikefin.