Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pizza Lovers Suffer Data Breach From Hell

Posted by samzenpus on from the hell-of-a-breach dept.

netbuzz writes "Some 230,000 New Zealanders have been informed that their personal information has apparently fallen into the hands of hackers who compromised the network of a locally famous food chain, Hell Pizza. The company says it suspects 'a rogue employee,' but one security expert says Hell's ordering portal is 'about 50 steps of fail.' Several New Zealand celebrities are among the victims and at least one is taking the matter in stride, musing: 'My Twitter has been hacked, my Facebook has been hacked and I'm pretty sure half of New Zealand has my phone number already. I have nothing bad to say about Hell.'"

4 of 164 comments (clear)

  1. SQL Injection by Anonymous Coward · · Score: 4, Informative

    This isn't news.

    Their server would execute any SQL query sent to it. The SQL queries were hard coded into the Flash objects they used.

  2. Risky.Biz Explaination by SJ2000 · · Score: 4, Informative
    Risky.Biz

    Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store). You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours. MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

  3. Old news, except for Hell by tbird81 · · Score: 5, Informative

    The original breech was at least one year ago, but Hell chose to ignore it. Whoever made their website allowed SQL code to be run from the url.

    Here's a blog by the owner of the geekzone forum that initially discovered the problem (because someone received spam from a disposable email address they used with the company.

  4. at least they were upfront about it by Anonymous Coward · · Score: 5, Informative

    I received an email from Hell just under a week ago:

    "Dear Valued Hell Customer,

    We have been approached by a party claiming to be in possession of
    customer details from the previous Hell website which is no longer in
    operation. The samples that we received included details of four customers
    from 2006, including phone numbers and email addresses and order
    information. We can confirm that credit card data was not at risk as this
    is held independently on a secure banking website.

    Whilst we are still investigating the matter, we can confirm that the
    information was obtained without our knowledge and we have approached the
    New Zealand Police with a view to lodging a formal complaint."

    They were upfront and open to their clients about the data breach, in a world where most corporates prefer the 'duck and hide' tactic. I appreciated their honesty, and will continue to shop there.