Slashdot Mirror
Pizza Lovers Suffer Data Breach From Hell
netbuzz writes "Some 230,000 New Zealanders have been informed that their personal information has apparently fallen into the hands of hackers who compromised the network of a locally famous food chain, Hell Pizza. The company says it suspects 'a rogue employee,' but one security expert says Hell's ordering portal is 'about 50 steps of fail.' Several New Zealand celebrities are among the victims and at least one is taking the matter in stride, musing: 'My Twitter has been hacked, my Facebook has been hacked and I'm pretty sure half of New Zealand has my phone number already. I have nothing bad to say about Hell.'"
This reminds me of the time when I was 13. We had just got out of school and bicycled home. You know why? Because I, let me clarify _I_, had this new awesome game Lemmings. When we got to my house, I would fire up my Amiga and we would just laugh at the stupid lemmings jumping to their death if I didn't do something to stop them. Making them dig, guide others, or give them umbrellas - it was great.
The problem was that later on we obviously got hungry. This happened many times. Someone had to go get some food. Pizza was the obvious choice. But who would it be? I didn't want to. So we played a game of rock paper scissors. Damn, I lost. I tried to have an another round, but they didn't let me. There was nothing I could do.
I had to get up my ass and go get pizza. I asked my friends what they wanted. Adam said he wanted a delicious Pepperoni pizza. Jim said he wanted a Hawaiian pan pizza. I tried to remember their choices and took my bike. On the way over to the restaurant I tried to think what I want. Supreme pizza, double-cheese or maybe double bacon cheeseburger pizza?
I arrived at the pizza place. The taste was beautiful. I felt like I was home. I walked in and ordered three large pizzas, mine being the double bacon cheeseburger pizza. I felt so hungry. I just wanted to grab the pizza and eat. When the pizzas came, I had to eat there. I also took a few pieces of my friends pizzas because I wanted to taste them. Man I was happy.
Back then we didn't have credit cards, so I paid with the small amount of money that was in my pocket. No problems for the vendor, no problems for me, and everything worked greatly. The lesson being - pay with cash.
I'd hate it if half of New Zealand knew how much pizza I eat.
This isn't news.
Their server would execute any SQL query sent to it. The SQL queries were hard coded into the Flash objects they used.
Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).
You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.
MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.
No, he's saying that all of the otherwise-reputable companies he trusts have been letting him down lately because of their poor internet security. Facebook? Sucks. Hell Pizza? A big chain, i presume, and sucky security, obviously. Twitter? I don't know, but I don't trust them with anything important. Lots of banks, a ton of universities, and many other entities of various sizes expose you to risks such as identity theft. Strong, unique passwords are a no-brainer, but you can't protect yourself if the sites you trust expose your info to every script kiddie and 1337 hax0r who comes along. But I suppose knowing who the "celebrity" (quotes because we are talking about New Zealand) is, and thus how likely to be targeted he or she is.
This is a hacked account, for which the owner can not be held responsible.
The original breech was at least one year ago, but Hell chose to ignore it. Whoever made their website allowed SQL code to be run from the url.
Here's a blog by the owner of the geekzone forum that initially discovered the problem (because someone received spam from a disposable email address they used with the company.
I don't know if New York-style pizza can properly be called "pizza" by the definition most other places use. I like to think of it more as a highly efficient grease delivery system.
the "celebrity" (quotes because we are talking about New Zealand)
Its obviously Russell Crowe
http://michaelsmith.id.au
I received an email from Hell just under a week ago:
"Dear Valued Hell Customer,
We have been approached by a party claiming to be in possession of
customer details from the previous Hell website which is no longer in
operation. The samples that we received included details of four customers
from 2006, including phone numbers and email addresses and order
information. We can confirm that credit card data was not at risk as this
is held independently on a secure banking website.
Whilst we are still investigating the matter, we can confirm that the
information was obtained without our knowledge and we have approached the
New Zealand Police with a view to lodging a formal complaint."
They were upfront and open to their clients about the data breach, in a world where most corporates prefer the 'duck and hide' tactic. I appreciated their honesty, and will continue to shop there.
Okay but how can you make a non-technical customer pay for security? They will go to the cheapest vendor and pay later when it stuffs up.
http://michaelsmith.id.au
Comment removed based on user account deletion
...is why the hell some outfits feel the need to collect that much information about you just to sell you some food. After all, it doesn't make them a single extra sale. If you're not hungry, you're not going to buy a pizza.
Any shop that tries to get that kind of information out of me gets a flat refusal. Likewise, any venue that tries to take my fingerprints or iris scan.